awx cli schedules create cannot create schedule if the user is of type Normal User with required permissions.

[IshwarKanse]

ISSUE TYPE

• Bug Report

SUMMARY

awx cli schedules create cannot create schedule if the user is of type Normal User with required permissions on the object or even with Organization admin role. Currently the user needs to be a System Administrator type to create the schedule. From the UI the Normal User with permission can create the schedule.

POST at the /api/v2/schedules/ endpoint is only available for the user with System Administrator type which is the endpoint used by awx schedules create command.

ENVIRONMENT

• AWX version: Tower 3.6.2
• AWX install method: Tower 3.6.2 cluster installed with online installer
• Ansible version: 2.9.1
• Operating System: RHEL 8
• Web Browser: Chrome 79

STEPS TO REPRODUCE

• Create a normal user:
• Assign permission to a job template or set the user role as Organization admin.
• Try to create the schedule for the job template using awx cli.

awx --conf.host https://tower.ishwar.io --conf.username test --conf.password 'PASSWORD' schedules create --name=test --unified_job_template=111 --rrule="DTSTART;TZID=America/New_York:20180208T221500 RRULE:FREQ=MONTHLY;INTERVAL=1;BYDAY=TH;BYSETPOS=3" -vvv

• Change the user type to system administrator and rerun the command.

EXPECTED RESULTS

DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): tower.ishwar.io:443
DEBUG:urllib3.connectionpool:https://tower.ishwar.io:443 "GET /api/ HTTP/1.1" 200 188
DEBUG:awxkit.api.client:"GET https://tower.ishwar.io/api/" elapsed: 0:00:00.208793
DEBUG:awxkit.api.registry:Retrieved <class 'awxkit.api.pages.api.ApiV2'> by url: /api/v2/
DEBUG:urllib3.connectionpool:https://tower.ishwar.io:443 "GET /api/v2/ HTTP/1.1" 200 1688
DEBUG:awxkit.api.client:"GET https://tower.ishwar.io/api/v2/" elapsed: 0:00:00.047443
DEBUG:urllib3.connectionpool:https://tower.ishwar.io:443 "GET /api/ HTTP/1.1" 200 188
DEBUG:awxkit.api.client:"GET https://tower.ishwar.io/api/" elapsed: 0:00:00.052170
DEBUG:urllib3.connectionpool:https://tower.ishwar.io:443 "POST /api/login/ HTTP/1.1" 302 0
DEBUG:awxkit.api.client:"POST https://tower.ishwar.io/api/login/" elapsed: 0:00:00.247407
DEBUG:urllib3.connectionpool:https://tower.ishwar.io:443 "GET /api/ HTTP/1.1" 200 188
DEBUG:awxkit.api.client:"GET https://tower.ishwar.io/api/" elapsed: 0:00:00.080558
DEBUG:urllib3.connectionpool:https://tower.ishwar.io:443 "GET /api/ HTTP/1.1" 200 188
DEBUG:awxkit.api.client:"GET https://tower.ishwar.io/api/" elapsed: 0:00:00.084587
DEBUG:awxkit.api.registry:Retrieved <class 'awxkit.api.pages.schedules.Schedules'> by url: /api/v2/schedules/
DEBUG:urllib3.connectionpool:https://tower.ishwar.io:443 "OPTIONS /api/v2/schedules/ HTTP/1.1" 200 13449
DEBUG:awxkit.api.client:"OPTIONS https://tower.ishwar.io/api/v2/schedules/" elapsed: 0:00:00.101736
DEBUG:awxkit.api.registry:Retrieved <class 'awxkit.api.pages.schedules.Schedules'> by url: /api/v2/schedules/
DEBUG:urllib3.connectionpool:https://tower.ishwar.io:443 "OPTIONS /api/v2/schedules/1/ HTTP/1.1" 200 7915
DEBUG:awxkit.api.client:"OPTIONS https://tower.ishwar.io/api/v2/schedules/1/" elapsed: 0:00:00.120726
awx: unrecognized arguments: -vvv
DEBUG:awxkit.api.registry:Retrieved <class 'awxkit.api.pages.schedules.Schedules'> by url: /api/v2/schedules/
DEBUG:urllib3.connectionpool:https://tower.ishwar.io:443 "POST /api/v2/schedules/ HTTP/1.1" 201 1552
DEBUG:awxkit.api.client:"POST https://tower.ishwar.io/api/v2/schedules/" elapsed: 0:00:00.156802
DEBUG:awxkit.api.registry:Retrieved <class 'awxkit.api.pages.schedules.Schedules'> by url: /api/v2/schedules/
{
     "rrule": "DTSTART;TZID=America/New_York:20180208T221500 RRULE:FREQ=MONTHLY;INTERVAL=1;BYDAY=TH;BYSETPOS=3",
     "id": 14,
     "type": "schedule",
     "url": "/api/v2/schedules/14/",
     "summary_fields": {
          "unified_job_template": {
               "id": 111,
               "name": "test-schedule",
               "description": "",
               "unified_job_type": "job"
          },
          "created_by": {
               "id": 121,
               "username": "test",
               "first_name": "test",
               "last_name": "test"
          },
          "modified_by": {
               "id": 121,
               "username": "test",
               "first_name": "test",
               "last_name": "test"
          },
          "user_capabilities": {
               "edit": true,
               "delete": true
          },
          "inventory": {
               "id": 29,
               "name": "Demo Inventory",
               "description": "",
               "has_active_failures": false,
               "total_hosts": 1,
               "hosts_with_active_failures": 0,
               "total_groups": 0,
               "groups_with_active_failures": 0,
               "has_inventory_sources": false,
               "total_inventory_sources": 0,
               "inventory_sources_with_failures": 0,
               "organization_id": 1,
               "kind": "",
               "insights_credential_id": null
          }
     },
     "created": "2020-01-21T07:31:19.312383Z",
     "modified": "2020-01-21T07:31:19.312398Z",
     "name": "test",
     "description": "",
     "extra_data": {},
     "inventory": null,
     "scm_branch": null,
     "job_type": null,
     "job_tags": null,
     "skip_tags": null,
     "limit": null,
     "diff_mode": null,
     "verbosity": null,
     "unified_job_template": 111,
     "enabled": true,
     "dtstart": "2018-02-16T03:15:00Z",
     "dtend": null,
     "next_run": "2020-02-21T03:15:00Z",
     "timezone": "America/New_York",
     "until": ""
}

ACTUAL RESULTS

DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): tower.ishwar.io:443
DEBUG:urllib3.connectionpool:https://tower.ishwar.io:443 "GET /api/ HTTP/1.1" 200 188
DEBUG:awxkit.api.client:"GET https://tower.ishwar.io/api/" elapsed: 0:00:00.173558
DEBUG:awxkit.api.registry:Retrieved <class 'awxkit.api.pages.api.ApiV2'> by url: /api/v2/
DEBUG:urllib3.connectionpool:https://tower.ishwar.io:443 "GET /api/v2/ HTTP/1.1" 200 1688
DEBUG:awxkit.api.client:"GET https://tower.ishwar.io/api/v2/" elapsed: 0:00:00.046141
DEBUG:urllib3.connectionpool:https://tower.ishwar.io:443 "GET /api/ HTTP/1.1" 200 188
DEBUG:awxkit.api.client:"GET https://tower.ishwar.io/api/" elapsed: 0:00:00.050566
DEBUG:urllib3.connectionpool:https://tower.ishwar.io:443 "POST /api/login/ HTTP/1.1" 302 0
DEBUG:awxkit.api.client:"POST https://tower.ishwar.io/api/login/" elapsed: 0:00:00.247518
DEBUG:urllib3.connectionpool:https://tower.ishwar.io:443 "GET /api/ HTTP/1.1" 200 188
DEBUG:awxkit.api.client:"GET https://tower.ishwar.io/api/" elapsed: 0:00:00.088723
DEBUG:urllib3.connectionpool:https://tower.ishwar.io:443 "GET /api/ HTTP/1.1" 200 188
DEBUG:awxkit.api.client:"GET https://tower.ishwar.io/api/" elapsed: 0:00:00.081436
DEBUG:awxkit.api.registry:Retrieved <class 'awxkit.api.pages.schedules.Schedules'> by url: /api/v2/schedules/
DEBUG:urllib3.connectionpool:https://tower.ishwar.io:443 "OPTIONS /api/v2/schedules/ HTTP/1.1" 200 11598
DEBUG:awxkit.api.client:"OPTIONS https://tower.ishwar.io/api/v2/schedules/" elapsed: 0:00:00.088985
DEBUG:awxkit.api.registry:Retrieved <class 'awxkit.api.pages.schedules.Schedules'> by url: /api/v2/schedules/
DEBUG:urllib3.connectionpool:https://tower.ishwar.io:443 "OPTIONS /api/v2/schedules/1/ HTTP/1.1" 200 6065
DEBUG:awxkit.api.client:"OPTIONS https://tower.ishwar.io/api/v2/schedules/1/" elapsed: 0:00:00.112443
usage: awx schedules [-h] action ...

positional arguments:
  action
    list
    get
    modify
    delete

optional arguments:
  -h, --help  show this help message and exit

awx schedules: argument action: invalid choice: 'create' (choose from 'list', 'get', 'modify', 'delete')

[ryanpetrello]

Confirmed, this is an API permissions bug that prevents normal users from ever doing a POST /api/v2/schedules/, not a bug in the CLI. The issue looks like:

OPTIONS /api/v2/schedules/ doesn't show POST if you have execute role on at least one UJT.

[kdelee]

@ryanpetrello I am trying this out locally, first w/ an org admin, and I notice if the org admin has at least one job template, it can see the POST in the options. But if it has a project or a inventory source that also have the ability to have schedules, does not see the POST option

[ryanpetrello]

Good catch @kdelee.

Mind giving this PR a whirl?

#6205

[kdelee]

Now works w/ org admin as expected.

For a regular user with use on a project, I see POST as an option in api/v2/schedules OPTIONS but when I do a POST to the project that I have execute on, I get FORBIDDEN. What do you think of that?

[kdelee]

Same story w/ regular user with use on an inventory source -- have POST in options to global schedules endpoint but can't post a schedule to an inventory I have use on. Is that normal?

[kdelee]

I guess part of me was thinking that creating a schedule to execute/run a resource is equivalent to using it "ad-hoc" therefore having use should allow you to run it....especially because this is the way it seems to work with job templates. (e.g. having EXECUTE allows me to add a schedule for it).

Wiling to be proven wrong

[kdelee]

All other cases are passing...so just have to decide what is right w/

normal user w/ use on Project
normal user w/ use on Inventory Source

[ryanpetrello]

It doesn't look to me like Projects or Inventory Sources allowed creating schedules with just "use" access before my recent changes. Here's what I get with a devel I rolled back a week or so (excluding my recent PRs):

@AlanCoding @wenottingham are you aware of any exceptions to this?

Here's a project and inventory source with "use" access:

Here's the same requests with "update" access on both:

[ryanpetrello]

For a regular user with use on a project, I see POST as an option in api/v2/schedules OPTIONS but when I do a POST to the project that I have execute on, I get FORBIDDEN. What do you think of that?

Yea, this sounds a pre-existing bug to me; I don't see how my recent changes would've affected that.

[kdelee]

❓ so does that mean you want to fix that behavior before we close this out?

[ryanpetrello]

Yep, I'd like to address it. Just haven't had time yet.

[kdelee]

ack

[ryanpetrello]

I think this is actually working correctly @kdelee (cc @AlanCoding):

#6240

[kdelee]

Got tests worked out, this is working for me now. Closing