Bug 1468795
Summary: | [RFE] tenant_administrator role can modify quotas of his own Tenant | ||
---|---|---|---|
Product: | Red Hat CloudForms Management Engine | Reporter: | Andrea Perotti <aperotti> |
Component: | Appliance | Assignee: | Libor Pichler <lpichler> |
Status: | CLOSED ERRATA | QA Contact: | Ganesh Hubale <ghubale> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 5.8.0 | CC: | abellott, aperotti, cpelland, dmetzger, ghubale, gtanzill, jhardy, jprause, lavenel, lpichler, mfeifer, obarenbo, simaishi |
Target Milestone: | GA | Keywords: | FutureFeature |
Target Release: | 5.10.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | cfme_tenant:quota:rbac | ||
Fixed In Version: | 5.10.0.32 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-02-07 23:02:36 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | CFME Core | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1468726 |
Description
Andrea Perotti
2017-07-08 01:00:25 UTC
Andrea, yes Omega/Reseller can modify quotas because there is managing of quotas allowed in his role EvmRole-tenant_administrator as default. So I am suggesting to create special role for the Omega/Reseller and disable 'Manage Quotas'. (see attachment) Does this solve the issue? thanks I've tested on a CFME 5.8.0.17.20170525183055_6317a22 and effectively it works, but only for tenant-admin-omega, that will never have a child tenant. tenant-admin-alpha can modify *both* tenant's quotas: Omega and Alpha, this is behaviour that is wanted to be changed. The required behaviour is that `tenant-admin-alpha` couuld only change quotas on Omega (child tenants) and not for his own tenant (parent one). The use case is the one where an ISP sell resources to Alpha, and Alpha resell resources to Omega. ISP (global admin) have to be able to edit quota on all his childs (Alpha, Omega) Alpha (tenant admin) have to be able to edit quota on all his childs (Omega). I'll pass this to the customerI'll pass this to the customer and let you know if that is enough.I'll pass this to the customer and let you know if that is enough.I'll pass this to the customer and let you know if that is enough. and let you know if that is enough. Hope this clarify better the request. thanks a lot New commit detected on ManageIQ/manageiq-schema/hammer: https://github.com/ManageIQ/manageiq-schema/commit/3531941f063dc6e71b26d4190fb2a94eddb72f58 commit 3531941f063dc6e71b26d4190fb2a94eddb72f58 Author: Nick Carboni <ncarboni> AuthorDate: Fri Oct 26 11:45:24 2018 -0400 Commit: Nick Carboni <ncarboni> CommitDate: Fri Oct 26 11:45:24 2018 -0400 Merge pull request #291 from lpichler/add_tenant_id_to_miq_product_features Add tenant_id to miq_product_features (cherry picked from commit ed6309af48540b9adb32ed9c999a9b1acdde3458) https://bugzilla.redhat.com/show_bug.cgi?id=1468795 db/migrate/20181023171353_add_tenant_id_and_tenant_node_to_miq_product_features.rb | 5 + 1 file changed, 5 insertions(+) New commit detected on ManageIQ/manageiq-api/hammer: https://github.com/ManageIQ/manageiq-api/commit/c0202c10dc9e13207c45caf35901b2b49ac19b6a commit c0202c10dc9e13207c45caf35901b2b49ac19b6a Author: Gregg Tanzillo <gtanzill> AuthorDate: Fri Nov 9 11:51:11 2018 -0500 Commit: Gregg Tanzillo <gtanzill> CommitDate: Fri Nov 9 11:51:11 2018 -0500 Merge pull request #508 from lpichler/seed_tenant_product_features Seed tenant product features in Spec::Support::API::Helpers (cherry picked from commit 7a024f7488f39daa9bb208dd0745d941c53e0bd0) https://bugzilla.redhat.com/show_bug.cgi?id=1468795 spec/support/api/helpers.rb | 2 + 1 file changed, 2 insertions(+) New commits detected on ManageIQ/manageiq/hammer: https://github.com/ManageIQ/manageiq/commit/ac5f85f3a66368b6a5ededfcb3695f178d935139 commit ac5f85f3a66368b6a5ededfcb3695f178d935139 Author: Gregg Tanzillo <gtanzill> AuthorDate: Tue Oct 30 16:51:09 2018 -0400 Commit: Gregg Tanzillo <gtanzill> CommitDate: Tue Oct 30 16:51:09 2018 -0400 Merge pull request #18102 from lpichler/dynamic_product_features Dynamic product features according to tenants (cherry picked from commit e391dec9c57dce99d67555c329906ec2fb71e759) https://bugzilla.redhat.com/show_bug.cgi?id=1468795 app/models/miq_product_feature.rb | 52 +- app/models/tenant.rb | 27 +- db/fixtures/miq_product_features.yml | 12 +- lib/rbac/authorizer.rb | 2 + spec/models/miq_product_feature_spec.rb | 146 +- spec/models/miq_user_role_spec.rb | 30 + spec/models/tenant_spec.rb | 32 + spec/support/evm_spec_helper.rb | 1 + 8 files changed, 287 insertions(+), 15 deletions(-) https://github.com/ManageIQ/manageiq/commit/8355c58f81508d207666b3046462d3af813835b2 commit 8355c58f81508d207666b3046462d3af813835b2 Author: Gregg Tanzillo <gtanzill> AuthorDate: Mon Nov 5 17:33:59 2018 -0500 Commit: Gregg Tanzillo <gtanzill> CommitDate: Mon Nov 5 17:33:59 2018 -0500 Merge pull request #18151 from lpichler/add_rbac_tenant_manage_quotas_to_tenant_product_feature ADD rbac_tenant_manage_quotas to tenant product features (cherry picked from commit 61d1edd6d9131e5d9a023411d838b60114b52d1e) https://bugzilla.redhat.com/show_bug.cgi?id=1468795 app/models/miq_product_feature.rb | 2 +- spec/models/miq_user_role_spec.rb | 5 +- 2 files changed, 5 insertions(+), 2 deletions(-) https://github.com/ManageIQ/manageiq/commit/d4481688e06d35e0f2220b6f1d19d0a1eb036597 commit d4481688e06d35e0f2220b6f1d19d0a1eb036597 Author: Brandon Dunne <brandondunne> AuthorDate: Mon Nov 12 15:04:44 2018 -0500 Commit: Brandon Dunne <brandondunne> CommitDate: Mon Nov 12 15:04:44 2018 -0500 Merge pull request #18179 from gtanzillo/fix-dynamic-product-features Authorize user with non-dynamic product feature if included in user's role (cherry picked from commit f489784b0917a30aa810772b3888bb9dac9cec0c) https://bugzilla.redhat.com/show_bug.cgi?id=1468795 app/models/miq_product_feature.rb | 2 +- lib/rbac/authorizer.rb | 4 +- spec/models/miq_user_role_spec.rb | 19 +- 3 files changed, 19 insertions(+), 6 deletions(-) New commit detected on ManageIQ/manageiq-ui-classic/hammer: https://github.com/ManageIQ/manageiq-ui-classic/commit/5ade165e927704d85461fa9fa7aff86785d83183 commit 5ade165e927704d85461fa9fa7aff86785d83183 Author: Milan Zázrivec <mzazrivec> AuthorDate: Wed Oct 31 11:05:16 2018 -0400 Commit: Milan Zázrivec <mzazrivec> CommitDate: Wed Oct 31 11:05:16 2018 -0400 Merge pull request #4858 from lpichler/fix_ci_after_dynamic_product_features Fix CI After Dynamic Product Features (cherry picked from commit 568f503519dac39ee1eefd55a1f48828ed49aae7) https://bugzilla.redhat.com/show_bug.cgi?id=1468795 spec/controllers/miq_ae_customization_controller/dialogs_spec.rb | 1 + 1 file changed, 1 insertion(+) New commit detected on ManageIQ/manageiq/hammer: https://github.com/ManageIQ/manageiq/commit/9d4c1af4c2ff4844c621317e76e405acdce289b9 commit 9d4c1af4c2ff4844c621317e76e405acdce289b9 Author: Keenan Brock <keenan> AuthorDate: Thu Dec 20 11:40:02 2018 -0500 Commit: Keenan Brock <keenan> CommitDate: Thu Dec 20 11:40:02 2018 -0500 Merge pull request #18286 from lpichler/dont_create_tenant_product_features_remote_tenants Don't seed tenant product features for tenant from remote region (cherry picked from commit 7909bf7f11a842f7b98d5e7fc539b6fc3da82de7) https://bugzilla.redhat.com/show_bug.cgi?id=1468795 app/models/miq_product_feature.rb | 2 +- spec/models/miq_product_feature_spec.rb | 26 + 2 files changed, 27 insertions(+), 1 deletion(-) Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:0212 |