User Cannot See the Job that was launched by themselves.

[vi-patel]

ISSUE TYPE

• Bug Report

COMPONENT NAME

• API
• UI

SUMMARY

User that launched a job, cannot see the job in the following scenario:

1. I created a user X that is an Admin of a created organization, and the Admin gave privileges to user X to use a project.
2. User x dynamically creates an inventory and template and then executes the template (successfully), and user can see the job at this point.
3. User x then deletes the inventory and template, now User x cannot see the job even though User X is the one that launched the job.

This was done through the UI and cli with the same results.

ENVIRONMENT

STEPS TO REPRODUCE

explained in the summary

EXPECTED RESULTS

User X can see the job that User X launched

ACTUAL RESULTS

User X cannot see the job that they launched it.

ADDITIONAL INFORMATION

[AlanCoding]

Right, permissions are not persistent if you delete the resources by witch you obtain those permissions. In this case, the org admin has various permissions to the job because it was ran on an inventory in their organization (and they have full permission to manage such inventories). We don't want to break the audit trail for no reason, and there is meaningful value in persisting the job for the superuser to view.

The only solution to this situation that might be acceptable would be to add an organization field to jobs, and have that automatically set when the job is launched, this field could then be used to assess organization admin access. This would have some advantages, reducing the complexity of determining job permission in the current system. It's such a narrow case, I don't know that I'm really interested in solving it myself.

[vi-patel]

Just to give a little more detail, the use case that I am working on is using AWX to configure systems used for testing.

These systems are short-lived systems that will be used for testing and removed, and the same machine will be used for other testing multiple times and for different setups. I would like to use AWX to help run and audit the configuration. But I don't want to keep inventories and templates (there will be too many requests and I don't want to maintain this data as it is not needed) as they will be different playbooks being run and different/same machine used for many scenarios.

Right now I can't use it for this use case. Because after the deletion, I can't see the job. when the user is the admin of the organization and is the person that launched the job.

[AlanCoding]

So you have a setup and teardown that is organization-scoped, and you are keeping your users as organization admins. If you were viewing as system admin you would see the jobs.

Might consider if expanded tracking of organization ownership could have some benefit as a component of #166

[AlanCoding]

Closing in favor of that 3903 issue, which should resolve this