Bug 1296671

Summary: role VM/Template access restriction prevents service catalogs from being displayed when user group has no filtering set
Product: Red Hat CloudForms Management Engine Reporter: Josh Carter <jocarter>
Component: UI - OPSAssignee: Libor Pichler <lpichler>
Status: CLOSED ERRATA QA Contact: Shveta <sshveta>
Severity: high Docs Contact:
Priority: unspecified    
Version: 5.5.0CC: amotta, gtanzill, hkataria, jhardy, mfeifer, mpovolny, ncatling, obarenbo, simaishi, sshveta
Target Milestone: GA   
Target Release: 5.6.0   
Hardware: All   
OS: All   
Whiteboard: service:rbac
Fixed In Version: 5.6.0.8 Doc Type: Bug Fix
Doc Text:
Previously, users without group level filtering set could not see service catalogs based off a template that the user had group ownership of. This occurred because the ServiceTemplate (service catalog menu) model used by CloudForms does not use tags, managed filters or group and user/tenant ownership. This was fixed by removing ServiceTemplate from the direct RBAC. As a result, the user can now see all service templates related to their current tenant and parent tenants.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-29 15:26:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Josh Carter 2016-01-07 19:35:49 UTC 
Description of problem:

A user with no group level filtering but role level filtering set to "Only User or Group Owned" is unable to see 
a service catalog that is based off a template that the user has group ownership of. 


Version-Release number of selected component (if applicable): 5.5.0


How reproducible:


Steps to Reproduce:
0. Login by admin
1. Configure -> Configuration -> Access Control -> Tenant -> Select ‘My Company’
    Configuration -> Add Child Tenant to this Tenant  — create new tenant
2. Configure -> Configuration -> Access Control -> Roles
    Configuration -> Add new Role    
    Then In the Role information area,  set a value ‘Only User or Group Owned’ in the ‘VM and Template Access Restriction’. — create new role
3. Configure -> Configuration -> Access Control -> Select group
    Configuration -> Add new Group — create new group
    Then, Role = select created role in step2 and Project/Tenant = select created tenant in step1
4. Configure -> Configuration -> Access Control -> Select user
    Configuration -> Add new User — create new user
    Then, Group = select created group in step3
5. Infrastructure -> VM Machine -> select template
    Configuration -> Set Ownership
    Group = select created group in step3
6. Create service catalog menu by using template in step5
7.  Logout admin then Login by created user in step4
8. Infrastructure -> VM Machine
    - Please confirm template is available
    Service Catalog -> Service
    - Please confirm service menu is unavailable

Actual results:


Expected results:


Additional info:
Comment 2 CFME Bot 2016-01-26 17:06:29 UTC 
https://github.com/ManageIQ/manageiq/pull/6347
Comment 3 CFME Bot 2016-01-29 16:06:00 UTC 
New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/767833ab472a75e783ffcebb5623060cc914887c

commit 767833ab472a75e783ffcebb5623060cc914887c
Author:     lpichler <lpichler>
AuthorDate: Tue Jan 26 16:14:45 2016 +0100
Commit:     lpichler <lpichler>
CommitDate: Fri Jan 29 11:45:18 2016 +0100

    Removing ServiceTemplate from direct RBAC
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1296671
    we are not using belongs to and managed filters, group and user/tenant ownership(it is not presented in UI),
    neither tags(ServiceTemplate model is not taggable)

 app/models/rbac.rb | 1 -
 1 file changed, 1 deletion(-)
Comment 4 Libor Pichler 2016-01-29 16:08:18 UTC 
Expected results slightly changed:
In scenario from BZ we should see all service templates which are related to current tenant and parent's tenants (#4425) (not just ServiceTemplate (service catalog menu) based on template as decribed in BZ)
Comment 5 Shveta 2016-04-19 01:06:41 UTC 
Fixed.
Verified in 5.6.0.1-beta2.20160413141124_e25ac0e
Comment 6 Libor Pichler 2016-05-26 08:09:19 UTC 
It was working before as we expected so this PR is reverting changes
https://github.com/ManageIQ/manageiq/pull/8890

In this PR is description how it should works for non-self-service-users and self-service-users
Comment 7 Libor Pichler 2016-06-02 09:33:38 UTC 
*** Bug 1341175 has been marked as a duplicate of this bug. ***
Comment 8 Shveta 2016-06-03 21:18:40 UTC 
User can see the template but the catalog item.
Comment 9 Shveta 2016-06-03 21:28:33 UTC 
User can see catalog item too .
Verified
Comment 11 errata-xmlrpc 2016-06-29 15:26:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1348