Bug 1623464

Summary: Tenant administrator can't navigate to Access Control -> Groups; 500 Internal Server Error
Product: Red Hat CloudForms Management Engine Reporter: Antonin Pagac <apagac>
Component: ApplianceAssignee: Keenan Brock <kbrock>
Status: CLOSED CURRENTRELEASE QA Contact: Antonin Pagac <apagac>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.10.0CC: abellott, apagac, dmetzger, kbrock, obarenbo, simaishi, yrudman
Target Milestone: GAKeywords: Regression
Target Release: 5.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 5.10.0.15 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-12 16:51:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
excerpt from production.log none

Description Antonin Pagac 2018-08-29 12:32:44 UTC 
Created attachment 1479488 [details]
excerpt from production.log

Description of problem:
The tenant administrator can't navigate to Groups. When clicked, internal error appears.

Similar issue for super administrator is described in bz 1593171. That is now fixed and works as expected.

Version-Release number of selected component (if applicable):
5.10.0.12

How reproducible:
Always

Steps to Reproduce:
1. Create a tenant administrator user with:
    Group: EvmGroup-tenant_administrator
    Role: EvmRole-tenant_administrator
2. Login with this user
3. Navigate to Configuration; Access Control -> Groups
4. Internal error appears

Actual results:
Can't navigate to Groups; Internal error appears

Expected results:
Can navigate to Groups

Additional info:
This worked in 5.9.4 - marking as regression.

See also log excerpt from production.log.
Comment 2 Gregg Tanzillo 2018-08-29 12:54:58 UTC 
Hi Antonin, do you have the error and backtrace from the log or a set of logs that we can look at?
Comment 5 Keenan Brock 2018-08-30 18:17:34 UTC 
Looks like groups, user_roles, and users have this same bug.

Very close to having a fix
Comment 6 CFME Bot 2018-08-30 18:41:28 UTC 
https://github.com/ManageIQ/manageiq/pull/17930
Comment 7 CFME Bot 2018-09-07 20:36:21 UTC 
New commit detected on ManageIQ/manageiq/master:

https://github.com/ManageIQ/manageiq/commit/9a9b5ddc47ff8baae49ed1a7cba37732d609df11
commit 9a9b5ddc47ff8baae49ed1a7cba37732d609df11
Author:     Keenan Brock <keenan>
AuthorDate: Thu Aug 30 14:18:21 2018 -0400
Commit:     Keenan Brock <keenan>
CommitDate: Thu Aug 30 14:18:21 2018 -0400

    fix: with_role_excluding has bad subquery

    Rbac.filtered/search uses this method to filter by tenant admin
    Unfortunately, the subquery was using the select from the main query and
    producing bad queries

    It is now properly isolating the queries and tests have been added to
    protect against regressions

    https://bugzilla.redhat.com/show_bug.cgi?id=1623464
 app/models/miq_group.rb | 2 +-
 app/models/miq_user_role.rb | 2 +-
 app/models/user.rb | 4 +-
 spec/lib/rbac/filterer_spec.rb | 6 +-
 spec/models/miq_group_spec.rb | 10 +
 spec/models/miq_user_role_spec.rb | 10 +
 spec/models/user_spec.rb | 24 +
 7 files changed, 51 insertions(+), 7 deletions(-)
Comment 8 Keenan Brock 2018-09-10 14:27:54 UTC 
this is on master

you should be good to go
Comment 9 Antonin Pagac 2018-09-18 10:20:50 UTC 
Verified with 5.10.0.15.