Bug 1302431

Summary: partial inventory when using sub-tenant
Product: Red Hat CloudForms Management Engine Reporter: Josh Carter <jocarter>
Component: ApplianceAssignee: Libor Pichler <lpichler>
Status: CLOSED CURRENTRELEASE QA Contact: Pavol Kotvan <pakotvan>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 5.5.0CC: abellott, dajohnso, gtanzill, jhardy, jocarter, jrafanie, obarenbo
Target Milestone: GA   
Target Release: 5.6.0   
Hardware: All   
OS: All   
Whiteboard: tenant
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-29 21:34:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Carter 2016-01-27 21:20:36 UTC 
Description of problem:

User that belongs to a group with no filtering and a sub-tenant is only able to see Clusters, Hosts, Resource Pools & Datastores

sub-tenant does not have access to Providers, virtual machines or templates. 

Version-Release number of selected component (if applicable): 5.5.0


How reproducible:
very

Steps to Reproduce:
1. 
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Shveta 2016-02-01 21:32:15 UTC 
Assigning to add test case
Comment 3 Joe Rafaniello 2016-02-09 20:28:50 UTC 
Josh, the visibility rules per class is found here:

https://github.com/ManageIQ/manageiq/blob/62477b802b2ea7eead99bd78fdf9cebcc7473702/app/models/rbac.rb#L59-L70

Can you clarify exactly what setup you have in terms of a tree what objects you have, providers/ems/vm/templates and what tenant/group they belong to?

A sub-tenant should only be able to see "ExtManagementSystem", "MiqAeNamespace", "MiqTemplate", "Provider", "ServiceTemplateCatalog", "ServiceTemplate", etc.  (the keys with a value of :ancestor_ids).
Comment 4 Joe Rafaniello 2016-02-09 20:35:45 UTC 
Of course, the sub-tenant will of course see all of it's own things, but above is for the class of objects owned by a parent tenant that are visible from the child tenant.
Comment 6 Gregg Tanzillo 2016-02-22 19:04:05 UTC 
Please retest with 5.5.2. There was a fix made to address visibility of templates owned by the parent tenant. Users should be able to see the templates owned by the current tenant and parent tenants only. But, see VMs owned by current tenant and child tenants only.