[rt-users] [SOLVED] Restoring from backup -> admins lost privileges
Andrew Wippler
Andrew.Wippler at lancasterbaptist.org
Fri Feb 13 13:41:45 EST 2015
After a few hours of sleep, I managed to get it working with this code:
#!/usr/bin/perl
use lib "/usr/share/request-tracker4/lib";
use RT;
use RT::Users ; ## you may not need this but what the he
use RT::User;
use warnings;
RT::LoadConfig(); ## Loading RT config
RT::Init(); ## Initialise RT
my $users = new RT::Users(RT_System);
$users->LimitToPrivileged;
while ( $user = $users->Next) {
print $user->Name ;
print " \n";
my $u = new RT::User->new($RT::SystemUser);
my ($status, $msg) = $u->Load($user->Name);
print $msg;
print " \n";
my ($vall,$msgg) = $u->SetPrivileged(1);
print $msgg;
print " \n";
}
exit;
Old tickets will not allow me to re-assign the owner; however, it works on newly created tickets.
Andrew Wippler | Director of IT | Lancaster Baptist Church | Dr. Paul Chappell, Pastor
________________________________________
From: rt-users <rt-users-bounces at lists.bestpractical.com> on behalf of rt-users-request at lists.bestpractical.com <rt-users-request at lists.bestpractical.com>
Sent: Friday, February 13, 2015 4:46 AM
To: rt-users at lists.bestpractical.com
Subject: rt-users Digest, Vol 131, Issue 13
Send rt-users mailing list submissions to
rt-users at lists.bestpractical.com
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
or, via email, send a message with subject or body 'help' to
rt-users-request at lists.bestpractical.com
You can reach the person managing the list at
rt-users-owner at lists.bestpractical.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of rt-users digest..."
Today's Topics:
1. Prevent users from adding CC's and AdminCC's to tickets
(Cena, Stephen (ext. 300))
2. Prevent users from making Comments on tickets
(Cena, Stephen (ext. 300))
3. fail2ban With RT (Matt Brennan)
4. Re: Prevent users from making Comments on tickets (Alex Peters)
5. Re: Prevent users from adding CC's and AdminCC's to tickets
(Alex Peters)
6. Re: Prevent users from making Comments on tickets
(Daniel Schwager)
7. Restoring from backup -> admins lost privileges (Andrew Wippler)
8. unsubscribe (Steve Hanselman)
9. Re: Prevent users from making Comments on tickets (Alex Peters)
----------------------------------------------------------------------
Message: 1
Date: Thu, 12 Feb 2015 17:26:33 +0000
From: "Cena, Stephen (ext. 300)" <SJC at qvii.com>
To: "rt-users at lists.bestpractical.com"
<rt-users at lists.bestpractical.com>
Subject: [rt-users] Prevent users from adding CC's and AdminCC's to
tickets
Message-ID:
<0CE56AE307C0BC4B950BF05F3759DF4357D162D9 at MailStore2010.ogp.qvii.com>
Content-Type: text/plain; charset="us-ascii"
What permissions do I need to remove/enable to prevent users from modifying the CC/AdminCC lists (more specifically the AdminCC list). The audit trail of when people being added & removed is helpful, but I'd like to prevent it outright.
Stephen J. Cena
Supervisor/Systems Administrator - MIS/IT Dept
Quality Vision International
850 Hudson Ave
Rochester,NY 14620
Phone: 585-544-0450 x300
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Please report email problems to: postmaster at qvii.com<mailto:postmaster at qvii.com>
QVII MIS/IT Dept - We do what we must because we can.
"Thank you for helping us help you help us all."
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20150212/fc0d4892/attachment-0001.html>
------------------------------
Message: 2
Date: Thu, 12 Feb 2015 17:06:48 +0000
From: "Cena, Stephen (ext. 300)" <SJC at qvii.com>
To: "rt-users at lists.bestpractical.com"
<rt-users at lists.bestpractical.com>
Subject: [rt-users] Prevent users from making Comments on tickets
Message-ID:
<0CE56AE307C0BC4B950BF05F3759DF4357D162B2 at MailStore2010.ogp.qvii.com>
Content-Type: text/plain; charset="us-ascii"
I'm in the process of locking down end-user permissions in our RT install. We want it set up so that users can only do Reply, and Admins can use Comment and Reply. At present, my "end user" can't see a Comment in a ticket, or an attachment made with a Comment. However, if the user emails the Comment address or uses the Comment in the Action drop-down in the ticket the entry gets made. The proper visibility of the resulting Comment is correct. AFAIK, there are no global permissions for anything (I'm doing it al at the queue level for each queue).
Everyone, Privileged, Unprivileged all have no permissions
End User perms for queue: CreateTicket, SeeQueue
Requestor perms for queue: ReplyToTicket, SeeCustomField, SeeQueue, ShowTicket, ModifyCustomField, ModifyTicket
Did I overlook something?
Stephen J. Cena
Supervisor/Systems Administrator - MIS/IT Dept
Quality Vision International
850 Hudson Ave
Rochester,NY 14620
Phone: 585-544-0450 x300
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Please report email problems to: postmaster at qvii.com<mailto:postmaster at qvii.com>
QVII MIS/IT Dept - We do what we must because we can.
"Thank you for helping us help you help us all."
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20150212/f866b1db/attachment-0001.html>
------------------------------
Message: 3
Date: Thu, 12 Feb 2015 16:59:08 -0500
From: Matt Brennan <brennanma at gmail.com>
To: rt-users at lists.bestpractical.com
Subject: [rt-users] fail2ban With RT
Message-ID:
<CACLBzupjPx89CoFqz_k9uW-QGBSVtmdJOoCkYdj-Cbdm3kfODA at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Good Day,
I am soon going to be exposing my RT instance on a public IP. It
currently requires VPN access, but users have asked for this to be changed.
As a result, I am trying to implement fail2ban, but am running into some
issues. I'm wondering if anyone else has successfully done this.
Running fail2ban-regexp against the Apache error log and the fail2ban
filter file show that there are matches, however running fail2ban in debug
mode does not show that it's matching at run time.
The relevant configs are below. Any help appreciated.
Thanks,
Matt
jail.conf:
[rt-iptables]
enabled = true
filter = rtauth
action = iptables-allports[name=RT, protocol=all]
logpath = /var/log/apache2/error.log
maxretry = 4
findtime = 21600
bantime = 86400
filter.d/rtauth.conf:
[INCLUDES]
before = apache-common.conf
[Definition]
failregex = \[.*\] \[[^]]+\] \[error\]: FAILED LOGIN for .* from <HOST>
\(.*\)$
ignoreregex =
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20150212/6f1384b1/attachment-0001.html>
------------------------------
Message: 4
Date: Fri, 13 Feb 2015 11:10:37 +1100
From: Alex Peters <alex at peters.net>
To: "Cena, Stephen (ext. 300)" <SJC at qvii.com>
Cc: "rt-users at lists.bestpractical.com"
<rt-users at lists.bestpractical.com>
Subject: Re: [rt-users] Prevent users from making Comments on tickets
Message-ID:
<CAFdkmpumX12XDdNOXwjhrSwU4Wx1XUGqyaHppjkF3MC6Tbv97A at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
I believe that a user will unconditionally have commenting ability if they
also have the ModifyTicket right, regardless of the state of their
CommentOnTicket right.
You might be able to swap out ModifyTicket and use some finer-grained
rights in its place, depending on what modifications end users actually
need to make.
On 13 February 2015 at 04:06, Cena, Stephen (ext. 300) <SJC at qvii.com> wrote:
> I'm in the process of locking down end-user permissions in our RT
> install. We want it set up so that users can only do Reply, and Admins can
> use Comment and Reply. At present, my "end user" can't see a Comment in a
> ticket, or an attachment made with a Comment. However, if the user emails
> the Comment address or uses the Comment in the Action drop-down in the
> ticket the entry gets made. The proper visibility of the resulting Comment
> is correct. AFAIK, there are no global permissions for anything (I'm doing
> it al at the queue level for each queue).
>
>
> Everyone, Privileged, Unprivileged all have no permissions
> End User perms for queue: CreateTicket, SeeQueue
> Requestor perms for queue: ReplyToTicket, SeeCustomField, SeeQueue,
> ShowTicket, ModifyCustomField, ModifyTicket
>
> Did I overlook something?
>
> Stephen J. Cena
> Supervisor/Systems Administrator - MIS/IT Dept
> Quality Vision International
> 850 Hudson Ave
> Rochester,NY 14620
> Phone: 585-544-0450 x300
> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
> Please report email problems to: postmaster at qvii.com
>
> QVII MIS/IT Dept - We do what we must because we can.
> "Thank you for helping us help you help us all."
> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20150213/944c01c8/attachment-0001.html>
------------------------------
Message: 5
Date: Fri, 13 Feb 2015 11:34:08 +1100
From: Alex Peters <alex at peters.net>
To: "Cena, Stephen (ext. 300)" <SJC at qvii.com>
Cc: "rt-users at lists.bestpractical.com"
<rt-users at lists.bestpractical.com>
Subject: Re: [rt-users] Prevent users from adding CC's and AdminCC's
to tickets
Message-ID:
<CAFdkmpu=2kCxDsc+hP7+iVAH_NFM7qBr3M02men_uNAzh5SE7g at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
>From the v4.2.7 code, I'm interpreting these rules:
1. Add/remove anyone if the user has the ModifyTicket right.
2. Only add/remove self as AdminCc if the user has the WatchAsAdminCc
right.
3. Only add/remove self as Cc/Requestor if the user has the Watch right.
The logic is probably the same for all other recent versions of RT, but if
in doubt, take a look at the _HasModifyWatcherRight method in
lib/RT/Ticket.pm.
On 13 February 2015 at 04:26, Cena, Stephen (ext. 300) <SJC at qvii.com> wrote:
> What permissions do I need to remove/enable to prevent users from
> modifying the CC/AdminCC lists (more specifically the AdminCC list). The
> audit trail of when people being added & removed is helpful, but I'd like
> to prevent it outright.
>
> Stephen J. Cena
> Supervisor/Systems Administrator - MIS/IT Dept
> Quality Vision International
> 850 Hudson Ave
> Rochester,NY 14620
> Phone: 585-544-0450 x300
> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
> Please report email problems to: postmaster at qvii.com
>
> QVII MIS/IT Dept - We do what we must because we can.
> "Thank you for helping us help you help us all."
> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20150213/1e8bd7cc/attachment-0001.html>
------------------------------
Message: 6
Date: Fri, 13 Feb 2015 06:52:01 +0000
From: Daniel Schwager <Daniel.Schwager at dtnet.de>
To: 'Alex Peters' <alex at peters.net>, "'Cena, Stephen (ext. 300)'"
<SJC at qvii.com>
Cc: "'rt-users at lists.bestpractical.com'"
<rt-users at lists.bestpractical.com>
Subject: Re: [rt-users] Prevent users from making Comments on tickets
Message-ID:
<5C4B841CCF894A4CBD8B13E25E2A575F20DCB6B9 at exchange2.dtnet.de>
Content-Type: text/plain; charset="utf-8"
Hi,
> You might be able to swap out ModifyTicket and use some
> finer-grained rights in its place, depending on what modifications
> end users actually need to make.
what are the equivalent (separate) rights for ModifyTicket?
regards
Danny
From: rt-users [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Alex Peters
Sent: Friday, February 13, 2015 1:11 AM
To: Cena, Stephen (ext. 300)
Cc: rt-users at lists.bestpractical.com
Subject: Re: [rt-users] Prevent users from making Comments on tickets
I believe that a user will unconditionally have commenting ability if they also have the ModifyTicket right, regardless of the state of their CommentOnTicket right.
You might be able to swap out ModifyTicket and use some finer-grained rights in its place, depending on what modifications end users actually need to make.
On 13 February 2015 at 04:06, Cena, Stephen (ext. 300) <SJC at qvii.com<mailto:SJC at qvii.com>> wrote:
I'm in the process of locking down end-user permissions in our RT install. We want it set up so that users can only do Reply, and Admins can use Comment and Reply. At present, my "end user" can't see a Comment in a ticket, or an attachment made with a Comment. However, if the user emails the Comment address or uses the Comment in the Action drop-down in the ticket the entry gets made. The proper visibility of the resulting Comment is correct. AFAIK, there are no global permissions for anything (I'm doing it al at the queue level for each queue).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20150213/eb94b235/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2279 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20150213/eb94b235/attachment-0001.bin>
------------------------------
Message: 7
Date: Fri, 13 Feb 2015 07:04:03 +0000
From: Andrew Wippler <Andrew.Wippler at lancasterbaptist.org>
To: "rt-users at lists.bestpractical.com"
<rt-users at lists.bestpractical.com>
Subject: [rt-users] Restoring from backup -> admins lost privileges
Message-ID: <1456d5bc867a425cae984e170f8a2531 at zerah>
Content-Type: text/plain; charset="us-ascii"
I had to restore my MySQL database from a backup. Once I restored the RT database, the privileged users no longer had rights.
I found the below snippets to remove/add super user to my account and verify privileged users, but they are stuck in self-service mode. How do I get the rights returned back to normal?
Granting rights:
perl -I/usr/share/request-tracker4/lib/ -MRT -e'RT::LoadConfig; RT::Init;
my $u=RT::User->new($RT::SystemUser);
$u->Load("awippler");
($val,$msg) = $u->PrincipalObj->GrantRight(Object=> $RT::System, Right => "SuperUser");
print "$msg\n"'
Finding privilege users: (my account is listed)
#!/usr/bin/perl
use lib "/usr/share/request-tracker4/lib";
use RT;
use RT::Users ;
use warnings;
RT::LoadConfig(); ## Loading RT config
RT::Init(); ## Initialise RT
my $users = new RT::Users(RT_System);
$users->LimitToPrivileged;
while ( $user = $users->Next) {
print $user->Name ;
}
exit;
Andrew Wippler | Director of IT | Lancaster Baptist Church | Dr. Paul Chappell, Pastor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20150213/a7348872/attachment-0001.html>
------------------------------
Message: 8
Date: Fri, 13 Feb 2015 11:42:16 -0000
From: "Steve Hanselman" <steveh at brendata.co.uk>
To: <rt-users at lists.bestpractical.com>
Subject: [rt-users] unsubscribe
Message-ID:
<6B8895CA39846F4DB78FAE7979D9D77E01064171 at prodntsc2.brendata>
Content-Type: text/plain; charset="us-ascii"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20150213/33d3d343/attachment-0001.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: SpamAssassinReport.txt
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20150213/33d3d343/attachment-0001.txt>
------------------------------
Message: 9
Date: Fri, 13 Feb 2015 23:46:20 +1100
From: Alex Peters <alex at peters.net>
To: Daniel Schwager <Daniel.Schwager at dtnet.de>
Cc: "rt-users at lists.bestpractical.com"
<rt-users at lists.bestpractical.com>, "Cena, Stephen \(ext. 300\)"
<SJC at qvii.com>
Subject: Re: [rt-users] Prevent users from making Comments on tickets
Message-ID:
<CAFdkmpvrPPw08PjKNurubn_c=PK2fj7py2fkHYDo8TBrQ=xvUg at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
ModifyTicket is not a strict combination of other rights. I believe that
without ModifyTicket, you must experiment to determine which rights provide
the correct behaviour for your needs.
On 13 February 2015 at 17:52, Daniel Schwager <Daniel.Schwager at dtnet.de>
wrote:
> Hi,
>
>
>
> > You might be able to swap out ModifyTicket and use some
>
> > finer-grained rights in its place, depending on what modifications
>
> > end users actually need to make.
>
>
>
> what are the equivalent (separate) rights for ModifyTicket?
>
>
>
> regards
>
> Danny
>
>
>
>
>
> *From**:* rt-users [mailto:rt-users-bounces at lists.bestpractical.com] *On
> Behalf Of *Alex Peters
> *Sent:* Friday, February 13, 2015 1:11 AM
> *To:* Cena, Stephen (ext. 300)
> *Cc:* rt-users at lists.bestpractical.com
> *Subject:* Re: [rt-users] Prevent users from making Comments on tickets
>
>
>
> I believe that a user will unconditionally have commenting ability if they
> also have the ModifyTicket right, regardless of the state of their
> CommentOnTicket right.
>
>
>
> You might be able to swap out ModifyTicket and use some finer-grained
> rights in its place, depending on what modifications end users actually
> need to make.
>
>
>
> On 13 February 2015 at 04:06, Cena, Stephen (ext. 300) <SJC at qvii.com>
> wrote:
>
> I'm in the process of locking down end-user permissions in our RT install.
> We want it set up so that users can only do Reply, and Admins can use
> Comment and Reply. At present, my "end user" can't see a Comment in a
> ticket, or an attachment made with a Comment. However, if the user emails
> the Comment address or uses the Comment in the Action drop-down in the
> ticket the entry gets made. The proper visibility of the resulting Comment
> is correct. AFAIK, there are no global permissions for anything (I'm doing
> it al at the queue level for each queue).
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20150213/c0c53be3/attachment.html>
------------------------------
Subject: Digest Footer
--------
rt-users mailing list
rt-users at lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
------------------------------
End of rt-users Digest, Vol 131, Issue 13
*****************************************
More information about the rt-users
mailing list