Awx: Organization administrator can't add users to organization

@psmola can you try this in AWX 12.0.0?

Hi,
I use AWX rpm version from mrmeee. Today I update repository and I see that newest version for mrmeee is ./copr:copr.fedorainfracloud.org:mrmeee:ansible-awx/01311409-ansible-awx/ansible-awx-9.3.0.104-1.el7.x86_64.rpm
Unfortunetly I can't test it on AWX 12.

I tested this issue also on this newest 9.3.0.104 but I don't see difference- the same behaviour.

Regards

Hey @psmola,

We don't generally support mrmeee's RPM-based distribution here. If you can show reproduction of this on a recent version of AWX (like 12.0.0 or 13.0.0) we can take a look.

Hi
I reproduced issue on AWX 13 (docker version).
Steps to reproduce:
1) Create Organization "test"
2) Add "admin_test" user to "test" organization as a administrator
3) Create "user1" in AWX as a normal user (Default organization)
3) Reconnect to AWX as "admin_test" user
4) Try add "user1" to "test" organization - users

Result:
User has not been added. In logs awx_web container:
[pid: 81|app: 0|req: 123/333] 192.168.1.32 () {56 vars in 2523 bytes} [Mon Jun 29 13:35:52 2020] OPTIONS /api/v2/users/ => generated 9968 bytes in 63 msecs (HTTP/1.1 200) 10 headers in 294 bytes (1 switches on core 0)
2020-06-29 13:35:55,425 WARNING awx.api.generics status 403 received by user admin_test attempting to access /api/v2/users/3/roles/ from 192.168.1.32
2020-06-29 13:35:55,427 WARNING django.request Forbidden: /api/v2/users/3/roles/
2020-06-29 13:35:55,427 WARNING django.request Forbidden: /api/v2/users/3/roles/

Expected result:
User from default organization should be added to new "test" organization from organization admin account.

Regards

Hello!
I can also confirm the issue is present in version 13.0.0.

Same issue in Tower 3.7.0 on OCP. Organization admin not able to add other users to org as members or admins
WARNING awx.api.generics status 403 received by user [email protected] attempting to access /api/v2/organizations/106/admins/ from ip
2020-07-16 10:30:32,944 WARNING awx.api.generics status 403 received by user [email protected] attempting to access /api/v2/users/117/roles/ from ip

What roles does that user have, in total?

User who is a admin of organization has two roles:

• Organization member
• Organization administrator

User I want add to organization doesn't have any roles

It looks more like an UI bug, as you are not supposed to be able to edit users (add them to organizations in this case) if you are not the organization admin for all of the organizations the users is a member of - including the default organization. The permission part is working as intended but some pop-up would be nice to have I guess. @psmola in your case the organization admin should also be the admin of the default organization in order to add the new user to an org

Shouldn't that be changed though? It doesn't make much sense to me that in the case of having a complex organization structure with lots of users (which might be in many organizations) that basically only the AWX admin (if you don't want to add a bunch of permissions to everyone, which in certain cases you definitely don't want to do!) can manage users and assign users certain permissions.

If I'm the admin of an organization I want to be able to add users and control who has access to the stuff I'm working on. As it is now you would have to delegate that to an individual who has the permission to see, use and manage all of the organisations. There's not many people who have that kind of access in companies that don't already have too much work on their hands.

Maybe I'm in the minority but I'm finding out that the permission structure on AWX is a bit weird in that there's very limited useful functionality in there.

We're facing the exact issue where a user should be member of multiple organizations and there are different admins for those organizations. It often defeats the purpose of even having an organization admin as a Tower/AWX admin has to assign that user to organizations. I get that if you were able to add a user to your org you would revoke another organization admin rights to edit that user but I don't think that an org admin requires those rights in the first place

Having the same issue - can you please refer me to any documentation that is underpinning this statement: _"you are not supposed to be able to edit users (add them to organizations in this case) if you are not the organization admin for all of the organizations the users is a member of - including the default organization"_

It seems counter-intuitive to me, surely the ACL of an organization is handled/stored on the organization side, not on the user ... so why would it matter what other organizational memberships the user has?
I'm new to Ansible Tower, maybe my logic/understanding is flawed, so I'd appreciate any explanations/pointers.

That's the conclusion we came to when testing it. Not really able to find it in any documentations, will share if I find it and hope if anybody does find it in the meantime he/she will share it here .It's stated in the docs that you have to be an organization admin to be able to manage a user belonging to the organization, so that doesn't go along with what's actually happening

as you are not supposed to be able to edit users (add them to organizations in this case) if you are not the organization admin for all of the organizations the users is a member of - including the default organization.

In situation when on AWX is ~50 organizations and hundreds of members, AWX administrator shouldn't be directly responsible for adding users to organization. Idea of organization with role admin organization is created to delegate such function to dedicated members of specific organization.
Workaround what I use proves that this problem looks for BUG because when you create team inside organization then you'are able add users to team. with this workaround I'm able to create couple teams (RO,RW,ADMIN) and add users to these teams - and it's works. So, if I can add users through teams to organization then why I shouldn't be able add users directly to organization?

"you are not supposed to be able to edit users (add them to organizations in this case) if you are not the organization admin for all of the organizations the users is a member of - including the default organization"

FYI, there's nothing special about the default organization in this case, it's just an org like any other.

This is intentional behavior for security reasons. See https://github.com/ansible/awx/commit/a344ceda0ee6a475c13924e2a72143e60d54e328 for the commit.

An org admin has administration rights on all users inside their organization. Allowing them to adopt users from other organizations that they don't have admin rights on means they can effectively "adopt" any user and then get admin access to them.

cc @AlanCoding

That's just the thing. Why does the organization admin need admin rights over it's users? The admin should just be able to assign permissions to the users that are relevant to that specific organization. Nothing less nothing more.

I get that this behavior is there for a reason. But removing important functionality that is very much needed by many in the name of security doesn't sit well with me. There are other ways of solving the problem that should be considered. I think it would be beneficial to have permissions to edit users separate from their permissions to access things. The later can then be edited only by the resource owner/admin or the AWX/Tower admin. From what I see in AWX this is already the behavior when it comes to teams. We can add or remove users from teams but don't have access to edit the user's other properties.

I myself am fine with the org admins not being able to edit things like user emails, usernames or deleting them off of AWX altogether.

Closing this, this will not change without large rewrites to the RBAC model inheritance.