Bug 1411477

Summary: Heat Template provisioning does not honor Tagging filtering
Product: Red Hat CloudForms Management Engine Reporter: Satoe Imaishi <simaishi>
Component: ProvisioningAssignee: mkanoor
Status: CLOSED ERRATA QA Contact: Shveta <sshveta>
Severity: low Docs Contact:
Priority: medium    
Version: 5.5.0CC: gmccullo, hkataria, jhardy, mkanoor, mpovolny, obarenbo, simaishi, sshveta
Target Milestone: GAKeywords: ZStream
Target Release: 5.7.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: openstack:provision:tag:filter
Fixed In Version: 5.7.1.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1306274 Environment:
Last Closed: 2017-04-12 14:33:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1306274    
Bug Blocks:    
Attachments:
Description Flags
all tenants none

Comment 2 CFME Bot 2017-01-09 20:00:50 UTC 
New commit detected on ManageIQ/manageiq/euwe:
https://github.com/ManageIQ/manageiq/commit/c180299f056015b1d11e0ec6a1ce82db95493ad4

commit c180299f056015b1d11e0ec6a1ce82db95493ad4
Author:     Greg McCullough <gmccullo>
AuthorDate: Mon Dec 5 09:59:53 2016 -0500
Commit:     Satoe Imaishi <simaishi>
CommitDate: Mon Jan 9 14:55:41 2017 -0500

    Merge pull request #12369 from mkanoor/rbac_tres
    
    RBAC support for Automate Service Models
    (cherry picked from commit b2cd6253905150f3a72d6da98cf0a1b3d8dc91b3)
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1411477

 .../engine/drb_remote_invoker.rb                   | 11 +++
 lib/miq_automation_engine/engine/miq_ae_service.rb |  5 ++
 .../engine/miq_ae_service/miq_ae_service_rbac.rb   | 47 ++++++++++++
 .../engine/miq_ae_service_model_base.rb            |  9 ++-
 .../engine/miq_ae_workspace.rb                     | 28 +++++++
 .../engine/drb_remote_invoker_spec.rb              |  4 +-
 .../engine/miq_ae_method_spec.rb                   |  3 +
 .../miq_ae_service/miq_ae_service_rbac_spec.rb     | 87 ++++++++++++++++++++++
 .../miq_automation_engine/miq_ae_service_spec.rb   | 13 +++-
 9 files changed, 201 insertions(+), 6 deletions(-)
 create mode 100644 lib/miq_automation_engine/engine/miq_ae_service/miq_ae_service_rbac.rb
 create mode 100644 spec/lib/miq_automation_engine/engine/miq_ae_service/miq_ae_service_rbac_spec.rb
Comment 3 mkanoor 2017-01-11 14:40:31 UTC 
Fixed via https://github.com/ManageIQ/manageiq/pull/12369 which has been back ported to EUWE
Comment 4 Shveta 2017-01-27 04:19:05 UTC 
Created attachment 1244936 [details]
all tenants
Comment 5 Shveta 2017-01-27 04:19:42 UTC 
All tenants are shown not just the tagged one .
Please check https://10.8.199.137.
User :shveta/redhat
Comment 6 mkanoor 2017-02-15 21:51:40 UTC 
This is not supposed to work out of the box.
RBAC is an optional feature and needs to be enabled in Automate methods to filter out items based on the current tenant.

In the Automate method if you want to enable RBAC you would have to use

$evm.enable_rbac

If we enable RBAC by default a lot of customer defined automate method could start to fail. At some later release we will enable RBAC by default.
Comment 7 Shveta 2017-02-18 00:58:13 UTC 
Method used 
=====================
#
# Description: provide the dynamic list content from available tenants
#
stack_list = {nil => "<default>"}

$evm.enable_rbac

$evm.vmdb('orchestration_stack').all do |os|
  stack_list[os.id] = os.name
end

dialog_field = $evm.object

# sort_by: value / description / none
dialog_field["sort_by"] = "description"

# sort_order: ascending / descending
dialog_field["sort_order"] = "ascending"

# data_type: string / integer
dialog_field["data_type"] = "string"

# required: true / false
dialog_field["required"] = "false"

dialog_field["values"] = stack_list
dialog_field["default_value"] = nil

================================

1) Created a dialog that uses the above method.
2) Created Two tenants :tenant_1 and tenant2 . 
3) Login with tenant_1 (risha/redhat) , Order catalogitem 'tenancy' the dropdown does not show stacks for tenant_1 

Appliance :  https://10.8.199.189
Comment 8 Shveta 2017-02-20 22:55:55 UTC 
Not working with VM's .
==================Method used===================
#
# Description: provide the dynamic list content from available tenants
#
vm_list = {nil => "<default>"}

$evm.enable_rbac

$evm.log(:info, "VM List")
all_vms = $evm.vmdb('vm').all
$evm.log(:info, "Count #{all_vms.count}")
all_vms.each do |item|
  $evm.log(:info, "item #{item.inspect}")
  #vm_list[item.id] = item.name
end

dialog_field = $evm.object

# sort_by: value / description / none
dialog_field["sort_by"] = "description"

# sort_order: ascending / descending
dialog_field["sort_order"] = "ascending"

# data_type: string / integer
dialog_field["data_type"] = "string"

# required: true / false
dialog_field["required"] = "false"

dialog_field["values"] = vm_list
dialog_field["default_value"] = nil
Comment 9 mkanoor 2017-02-20 22:56:29 UTC 
There seems to be a bug in RBAC, when we enable RBAC using
$evm.enable_rbac

We get a RBAC error
<code: credentials.each do |item|>:38:in `fetch_list_data'
<code: fill_dialog_field(fetch_list_data)>:18:in `main'
[----] E, [2017-02-20T16:53:38.087908 #5140:3fe5a4f8baf0] ERROR -- : Method STDERR: (druby://127.0.0.1:54665) /Users/xxxxx/devsrc/manageiq/lib/rbac/filterer.rb:201:in `collect': undefined method `id' for "bd-test-change":String (NoMethodError)
[----] E, [2017-02-20T16:53:38.088394 #5140:3fe5a4f8baf0] ERROR -- : Method STDERR:   from (druby://127.0.0.1:54665) /Users/xxxx/devsrc/manageiq/lib/rbac/filterer.rb:201:in `search'

The sample Automate method looks like

$evm.enable_rbac
all_vms = $evm.vmdb('vm').all
all_vms.each do |item|
  vm_list[item.id] = item.name
end


When we iterate over each item it blows up
Comment 12 Shveta 2017-02-22 22:24:44 UTC 
Sure , no problem . 
I will look into it when it comes to ON_QA now.
Comment 14 mkanoor 2017-03-14 15:12:27 UTC 
Hi Shevta,
https://bugzilla.redhat.com/show_bug.cgi?id=1431822

Addresses the concerns in this ticket.
I have create a PR for it which has been merged.
In the next build you should be able to validate this ticket.

Thanks,
Madhu
Comment 15 mkanoor 2017-03-16 14:25:45 UTC 
The PR for https://bugzilla.redhat.com/show_bug.cgi?id=1431822 has been merged please retest
Comment 16 Shveta 2017-03-20 21:45:38 UTC 
Verification steps :
=======================
Method :
#
# Description: provide the dynamic list content from available tenants
#
vm_list = {nil => "<default>"}

$evm.enable_rbac

$evm.log(:info, "VM List")
all_vms = $evm.vmdb('vm').all
$evm.log(:info, "Count #{all_vms.count}")
all_vms.each do |item|
  $evm.log(:info, "item #{item.inspect}")
  vm_list[item.id] = item.name
end

dialog_field = $evm.object

# sort_by: value / description / none
dialog_field["sort_by"] = "description"

# sort_order: ascending / descending
dialog_field["sort_order"] = "ascending"

# data_type: string / integer
dialog_field["data_type"] = "string"

# required: true / false
dialog_field["required"] = "false"

dialog_field["values"] = vm_list
dialog_field["default_value"] = nil

================================
Create a tenant and a user assigned to that tenant. 
Create a dialog using above method .Call the dialog in a catalog item.
User should see VM's owned by this tenant in dropdown list .
Comment 17 Shveta 2017-03-23 05:24:34 UTC 
Verified in 5.7.2.0.20170321181409_349f1b1
Comment 19 errata-xmlrpc 2017-04-12 14:33:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:0898