Bug 1448857

Summary: Dialog for creating cloud volumes does not filter cloud tenants
Product: Red Hat CloudForms Management Engine Reporter: Gellert Kis <gekis>
Component: ApplianceAssignee: Libor Pichler <lpichler>
Status: CLOSED CURRENTRELEASE QA Contact: Pavol Kotvan <pakotvan>
Severity: high Docs Contact:
Priority: medium    
Version: 5.7.0CC: abellott, cpelland, fdewaley, gblomqui, hkataria, igortiunov, jhardy, jprause, jrafanie, kseifried, mpovolny, obarenbo, simaishi, smallamp
Target Milestone: GAKeywords: TestOnly, ZStream
Target Release: 5.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: cfme_tenant:volume
Fixed In Version: 5.9.0.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-06 15:10:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1450150    

Description Gellert Kis 2017-05-08 12:44:36 UTC 
Description of problem:

Dialog for creating cloud volumes (cinder provider) does not filter cloud tenants for user. In this way users can create storage volumes in any tenant. Not only in their own tenant.

User can select any cloud tenant placement , not just only his own tenant ,when "Add new cloud volume" 


Version-Release number of selected component (if applicable):

How reproducible:


Steps to Reproduce:
1. Create more user ,each with tenant
2. Add new cloud volume
3. Select any tenant from placemant list 

Actual results:

Not Filter tenant.

Expected results:

Filter tenant.



Additional info:
Comment 2 ITD27M01 2017-05-10 11:25:24 UTC 
Hi Guys.
I found that the problem has much greater coverage. The user can perform any operation on the cloud volumes from other tenants. Apparently the limitations of the tenants do not work for Storage Providers. The user can create, attach, and detach any cloud volume from/to any instances in the cloud (openstack) provider. Not only in his own tenant. In this case, I have to completely turn off this functionality (cloud volumes management by CFME users) to avoid data loss.
Comment 3 Kurt Seifried 2017-05-11 16:49:24 UTC 
CVE assigned, do we have an ETA on when we can fix this?
Comment 6 ITD27M01 2017-05-20 20:54:53 UTC 
In the environment with multiple OpenStack Regions CMFE display cloud tenant multiple times for each OpenStack Keystone region. In this way this string of code does not work for multi-region environments:

https://github.com/lpichler/manageiq/blob/fce2cbfd43bff2fc540424a458fbaa6c86557244/app/controllers/cloud_volume_controller.rb#L267

because hash value for the same tenant name get the last selected tenant id from CloudTenants array. And not all tenants are displayed. For correct work there should be some additional value for Cloud Tenant Region (For MIQ it is just another provider - ext_management_system) like this:

Rbac.filtered(CloudTenant).each { |tenant| @cloud_tenant_choices["#{tenant.name} - #{tenant.ext_management_system.name}"] = tenant.id }