Bug 1247375

Summary:

RBAC: Unable to restrict self-service users from seeing Clouds and / Infrastructure / Requests

Product:

Red Hat CloudForms Management Engine

Reporter:

Kevin Morey <kmorey>

Component:

UI - OPS

Assignee:

Harpreet Kataria <hkataria>

Status:

CLOSED ERRATA

QA Contact:

Alex Newman <anewman>

Severity:

high

Docs Contact:

Priority:

high

Version:

5.4.0

CC:

cpelland, dclarizi, hkataria, jhardy, kmorey, lavenel, mberube, mpovolny, obarenbo

Target Milestone:

Target Release:

5.5.0

Hardware:

All

OS:

All

Whiteboard:

Fixed In Version:

5.5.0.3

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2015-12-08 13:24:15 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
Infrastructure Host Provisioning Requests	none

Description Kevin Morey 2015-07-27 20:32:41 UTC

Created attachment 1056755 [details]
Infrastructure Host Provisioning Requests

Description of problem:
Unable to restrict self-service users from seeing Infrastructure / Requests "For Host Provision" and Clouds. The idea being that end users should only have access to Services / Workloads. 


Version-Release number of selected component (if applicable):
5.4.1.0

How reproducible:
100%

Steps to Reproduce:
1. Copy the EVM self service user role to a new role
2. assign the role to a group
3. When the user logs in they see Infrastructure / Requests

Actual results:
end user see Infrastructure / Requests regardless of the RBAC role

Expected results:
Epected to be able to filter that role out.

Additional info:
see screenshot

Comment 10 Dave Johnson 2015-07-30 15:50:59 UTC

John, on the triage call Dan mentioned he needs you to weigh in on how to proceed with this request.

Comment 11 CFME Bot 2015-08-05 17:31:40 UTC

https://github.com/ManageIQ/manageiq/pull/3729

Comment 12 CFME Bot 2015-08-26 19:31:55 UTC

https://github.com/ManageIQ/manageiq/pull/4063

Comment 13 CFME Bot 2015-09-05 13:51:54 UTC

https://github.com/ManageIQ/manageiq/pull/4227

Comment 14 CFME Bot 2015-09-08 21:47:39 UTC

New commit detected on ManageIQ/manageiq-appliance-build/master:
https://github.com/ManageIQ/manageiq-appliance-build/commit/afc991b774f445e2c86072c73ff5efaeb648aa2d

commit afc991b774f445e2c86072c73ff5efaeb648aa2d
Author:     Harpreet Kataria <hkataria>
AuthorDate: Wed Aug 26 13:44:49 2015 -0400
Commit:     Harpreet Kataria <hkataria>
CommitDate: Tue Sep 8 17:38:34 2015 -0400

    Added "all_vm_rules" feature to OOTB roles
    
    - Fixed product features count in spec test
    - Addressed some of the rubocop comments
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1247375

 app/controllers/ops_controller/rbac_tree.rb        | 24 +++++++++++-----------
 db/fixtures/miq_product_features.yml               |  3 ++-
 db/fixtures/miq_user_roles.yml                     | 11 ++++++++++
 .../application_helper/toolbar_builder_spec.rb     |  6 +++---
 spec/models/miq_product_feature_spec.rb            |  2 +-
 5 files changed, 29 insertions(+), 17 deletions(-)

Comment 15 Harpreet Kataria 2015-09-15 21:51:28 UTC

*** Bug 1263443 has been marked as a duplicate of this bug. ***

Comment 16 CFME Bot 2015-09-23 20:51:07 UTC

New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/e0f557122947b400450b30af57cca1ab68fe45a3

commit e0f557122947b400450b30af57cca1ab68fe45a3
Author:     Harpreet Kataria <hkataria>
AuthorDate: Wed Aug 26 12:29:28 2015 -0400
Commit:     Harpreet Kataria <hkataria>
CommitDate: Tue Sep 22 17:35:36 2015 -0400

    Further changes to move vm* rules out to be independent features.
    
    - Added spec tests to verify RBAC features tree is built successfully and contains  All VMand Instance Access Rules.
    - Added spec test to verify that vm_scan button is hidden for user that only has access to explorer feature, and is available to user that is allowed access to vm_scan feature
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1247375

 app/controllers/ops_controller/ops_rbac.rb         |   12 +-
 app/controllers/ops_controller/rbac_tree.rb        |   10 +-
 db/fixtures/miq_product_features.yml               | 2179 ++++++++++----------
 spec/controllers/ops_controller/rbac_tree_spec.rb  |   24 +
 .../application_helper/toolbar_builder_spec.rb     |   28 +
 5 files changed, 1151 insertions(+), 1102 deletions(-)
 create mode 100644 spec/controllers/ops_controller/rbac_tree_spec.rb

Comment 17 CFME Bot 2015-09-23 20:51:59 UTC

New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/b29dac240119f09a56500fa2506fd97339ef830d

commit b29dac240119f09a56500fa2506fd97339ef830d
Author:     h-kataria <hkataria>
AuthorDate: Wed Aug 5 04:53:51 2015 -0400
Commit:     Harpreet Kataria <hkataria>
CommitDate: Tue Sep 22 17:35:36 2015 -0400

    Initial work on introducing a special subtree for certain RBAC features.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1247375

 app/controllers/ops_controller/ops_rbac.rb  |  87 +-------------------
 app/controllers/ops_controller/rbac_tree.rb | 121 ++++++++++++++++++++++++++++
 2 files changed, 122 insertions(+), 86 deletions(-)
 create mode 100644 app/controllers/ops_controller/rbac_tree.rb

Comment 18 CFME Bot 2015-09-23 20:55:20 UTC

New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/aa43f6918353cc078e47132a0066bfcdeaa20e4e

commit aa43f6918353cc078e47132a0066bfcdeaa20e4e
Author:     Harpreet Kataria <hkataria>
AuthorDate: Wed Aug 26 13:44:49 2015 -0400
Commit:     Harpreet Kataria <hkataria>
CommitDate: Tue Sep 22 17:37:30 2015 -0400

    Added "all_vm_rules" feature to OOTB roles
    
    - Fixed product features count in spec test
    - Addressed some of the rubocop comments
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1247375

 app/controllers/ops_controller/rbac_tree.rb        | 24 +++++++++++-----------
 db/fixtures/miq_user_roles.yml                     | 11 ++++++++++
 .../application_helper/toolbar_builder_spec.rb     |  6 +++---
 spec/models/miq_product_feature_spec.rb            |  2 +-
 4 files changed, 27 insertions(+), 16 deletions(-)

Comment 19 Harpreet Kataria 2015-09-23 21:08:18 UTC

This fix needs to be tested thoroughly as this has a migration. VM/Instance related Access rules are moved to separate node under All VM and Instance Access Rules in the Access Control tree. Need to test existing roles that had access VM access rules to make sure they are migrated properly and continue to work properly. Also should add new roles with VM Access rules features and test the fix to verify all areas are working fine and honoring VM access rules.

Comment 20 Alex Newman 2015-11-05 19:08:31 UTC

Tested version: 5.5.0.9-beta2.20151102161742_5530c9a

Comment 22 errata-xmlrpc 2015-12-08 13:24:15 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2015:2551

Comment 23 Red Hat Bugzilla 2023-09-14 03:02:38 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days