Root Users are not given full list of organizations
Opened this issue · 1 comments
Background
An individual identified as a root user in Tower has full edit/view permissions for Organizations, Workspaces, Users, and Teams via the Tower console.
This level of access does not appear to be the case when using the CLI. When a root user runs tw -o json organizations list
, the response provided appears to be populated only by those Organizations which the user is directly affiliated with (as an Owner/Member).
How to reproduce
- Stand up a blank Tower instance.
- Create two users:
- UserA is a root user
- UserB is a non-root user
- Create three organizations:
- OrganizationX
- OrganizatinoY
- OrganizationZ
- Assignments:
- Make UserA an Owner of OrganizationX
- Make UserA an Owner of OrganizationY
- Make UserB an Owner of OrganizationZ
- Configure
tw
access for UserA - As UserA, run
tw -o json organizations list
. You'll note OrganizationZ does not appear.
Hypothesis & Suggestions
I believe root user API calls run through a different set of APIs than the general organizations / members / workspaces / teams
commands. Assuming I'm correct, tw
should either:
- Offer a root-user centric menu option; OR
- Offer an additional flag to identify the activity is being run with a root-user persona rather than general Tower user; OR
- The target Tower API logic should be modified to check if the caller is a root-user and structure their responses appropriately.
The command works as expected (not a bug): tw organizations list
returns those organizations where the requester user is a member in a similar vein to browsing to the "Organizations" screen on the web GUI.
Currently, the root API, which consists of a different set of (hidden/non-public) endpoints, is not supported by the CLI and I don't know if there are plans to support it.