Bug 1247375 - RBAC: Unable to restrict self-service users from seeing Clouds and / Infrastructure / Requests [NEEDINFO]
RBAC: Unable to restrict self-service users from seeing Clouds and / Infrastr...
Status: CLOSED ERRATA
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: UI - OPS (Show other bugs)
5.4.0
All All
high Severity high
: GA
: 5.5.0
Assigned To: Harpreet Kataria
Alex Newman
:
: 1263443 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-07-27 16:32 EDT by Kevin Morey
Modified: 2015-12-08 08:24 EST (History)
9 users (show)

See Also:
Fixed In Version: 5.5.0.3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-08 08:24:15 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
dajohnso: needinfo? (jhardy)


Attachments (Terms of Use)
Infrastructure Host Provisioning Requests (161.73 KB, image/png)
2015-07-27 16:32 EDT, Kevin Morey
no flags Details

  None (edit)
Description Kevin Morey 2015-07-27 16:32:41 EDT
Created attachment 1056755 [details]
Infrastructure Host Provisioning Requests

Description of problem:
Unable to restrict self-service users from seeing Infrastructure / Requests "For Host Provision" and Clouds. The idea being that end users should only have access to Services / Workloads. 


Version-Release number of selected component (if applicable):
5.4.1.0

How reproducible:
100%

Steps to Reproduce:
1. Copy the EVM self service user role to a new role
2. assign the role to a group
3. When the user logs in they see Infrastructure / Requests

Actual results:
end user see Infrastructure / Requests regardless of the RBAC role

Expected results:
Epected to be able to filter that role out.

Additional info:
see screenshot
Comment 10 Dave Johnson 2015-07-30 11:50:59 EDT
John, on the triage call Dan mentioned he needs you to weigh in on how to proceed with this request.
Comment 14 CFME Bot 2015-09-08 17:47:39 EDT
New commit detected on ManageIQ/manageiq-appliance-build/master:
https://github.com/ManageIQ/manageiq-appliance-build/commit/afc991b774f445e2c86072c73ff5efaeb648aa2d

commit afc991b774f445e2c86072c73ff5efaeb648aa2d
Author:     Harpreet Kataria <hkataria@redhat.com>
AuthorDate: Wed Aug 26 13:44:49 2015 -0400
Commit:     Harpreet Kataria <hkataria@redhat.com>
CommitDate: Tue Sep 8 17:38:34 2015 -0400

    Added "all_vm_rules" feature to OOTB roles
    
    - Fixed product features count in spec test
    - Addressed some of the rubocop comments
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1247375

 app/controllers/ops_controller/rbac_tree.rb        | 24 +++++++++++-----------
 db/fixtures/miq_product_features.yml               |  3 ++-
 db/fixtures/miq_user_roles.yml                     | 11 ++++++++++
 .../application_helper/toolbar_builder_spec.rb     |  6 +++---
 spec/models/miq_product_feature_spec.rb            |  2 +-
 5 files changed, 29 insertions(+), 17 deletions(-)
Comment 15 Harpreet Kataria 2015-09-15 17:51:28 EDT
*** Bug 1263443 has been marked as a duplicate of this bug. ***
Comment 16 CFME Bot 2015-09-23 16:51:07 EDT
New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/e0f557122947b400450b30af57cca1ab68fe45a3

commit e0f557122947b400450b30af57cca1ab68fe45a3
Author:     Harpreet Kataria <hkataria@redhat.com>
AuthorDate: Wed Aug 26 12:29:28 2015 -0400
Commit:     Harpreet Kataria <hkataria@redhat.com>
CommitDate: Tue Sep 22 17:35:36 2015 -0400

    Further changes to move vm* rules out to be independent features.
    
    - Added spec tests to verify RBAC features tree is built successfully and contains  All VMand Instance Access Rules.
    - Added spec test to verify that vm_scan button is hidden for user that only has access to explorer feature, and is available to user that is allowed access to vm_scan feature
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1247375

 app/controllers/ops_controller/ops_rbac.rb         |   12 +-
 app/controllers/ops_controller/rbac_tree.rb        |   10 +-
 db/fixtures/miq_product_features.yml               | 2179 ++++++++++----------
 spec/controllers/ops_controller/rbac_tree_spec.rb  |   24 +
 .../application_helper/toolbar_builder_spec.rb     |   28 +
 5 files changed, 1151 insertions(+), 1102 deletions(-)
 create mode 100644 spec/controllers/ops_controller/rbac_tree_spec.rb
Comment 17 CFME Bot 2015-09-23 16:51:59 EDT
New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/b29dac240119f09a56500fa2506fd97339ef830d

commit b29dac240119f09a56500fa2506fd97339ef830d
Author:     h-kataria <hkataria@redhat.com>
AuthorDate: Wed Aug 5 04:53:51 2015 -0400
Commit:     Harpreet Kataria <hkataria@redhat.com>
CommitDate: Tue Sep 22 17:35:36 2015 -0400

    Initial work on introducing a special subtree for certain RBAC features.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1247375

 app/controllers/ops_controller/ops_rbac.rb  |  87 +-------------------
 app/controllers/ops_controller/rbac_tree.rb | 121 ++++++++++++++++++++++++++++
 2 files changed, 122 insertions(+), 86 deletions(-)
 create mode 100644 app/controllers/ops_controller/rbac_tree.rb
Comment 18 CFME Bot 2015-09-23 16:55:20 EDT
New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/aa43f6918353cc078e47132a0066bfcdeaa20e4e

commit aa43f6918353cc078e47132a0066bfcdeaa20e4e
Author:     Harpreet Kataria <hkataria@redhat.com>
AuthorDate: Wed Aug 26 13:44:49 2015 -0400
Commit:     Harpreet Kataria <hkataria@redhat.com>
CommitDate: Tue Sep 22 17:37:30 2015 -0400

    Added "all_vm_rules" feature to OOTB roles
    
    - Fixed product features count in spec test
    - Addressed some of the rubocop comments
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1247375

 app/controllers/ops_controller/rbac_tree.rb        | 24 +++++++++++-----------
 db/fixtures/miq_user_roles.yml                     | 11 ++++++++++
 .../application_helper/toolbar_builder_spec.rb     |  6 +++---
 spec/models/miq_product_feature_spec.rb            |  2 +-
 4 files changed, 27 insertions(+), 16 deletions(-)
Comment 19 Harpreet Kataria 2015-09-23 17:08:18 EDT
This fix needs to be tested thoroughly as this has a migration. VM/Instance related Access rules are moved to separate node under All VM and Instance Access Rules in the Access Control tree. Need to test existing roles that had access VM access rules to make sure they are migrated properly and continue to work properly. Also should add new roles with VM Access rules features and test the fix to verify all areas are working fine and honoring VM access rules.
Comment 20 Alex Newman 2015-11-05 14:08:31 EST
Tested version: 5.5.0.9-beta2.20151102161742_5530c9a
Comment 22 errata-xmlrpc 2015-12-08 08:24:15 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2015:2551

Note You need to log in before you can comment on or make changes to this bug.