Created attachment 1056755 [details] Infrastructure Host Provisioning Requests Description of problem: Unable to restrict self-service users from seeing Infrastructure / Requests "For Host Provision" and Clouds. The idea being that end users should only have access to Services / Workloads. Version-Release number of selected component (if applicable): 5.4.1.0 How reproducible: 100% Steps to Reproduce: 1. Copy the EVM self service user role to a new role 2. assign the role to a group 3. When the user logs in they see Infrastructure / Requests Actual results: end user see Infrastructure / Requests regardless of the RBAC role Expected results: Epected to be able to filter that role out. Additional info: see screenshot
John, on the triage call Dan mentioned he needs you to weigh in on how to proceed with this request.
https://github.com/ManageIQ/manageiq/pull/3729
https://github.com/ManageIQ/manageiq/pull/4063
https://github.com/ManageIQ/manageiq/pull/4227
New commit detected on ManageIQ/manageiq-appliance-build/master: https://github.com/ManageIQ/manageiq-appliance-build/commit/afc991b774f445e2c86072c73ff5efaeb648aa2d commit afc991b774f445e2c86072c73ff5efaeb648aa2d Author: Harpreet Kataria <hkataria> AuthorDate: Wed Aug 26 13:44:49 2015 -0400 Commit: Harpreet Kataria <hkataria> CommitDate: Tue Sep 8 17:38:34 2015 -0400 Added "all_vm_rules" feature to OOTB roles - Fixed product features count in spec test - Addressed some of the rubocop comments https://bugzilla.redhat.com/show_bug.cgi?id=1247375 app/controllers/ops_controller/rbac_tree.rb | 24 +++++++++++----------- db/fixtures/miq_product_features.yml | 3 ++- db/fixtures/miq_user_roles.yml | 11 ++++++++++ .../application_helper/toolbar_builder_spec.rb | 6 +++--- spec/models/miq_product_feature_spec.rb | 2 +- 5 files changed, 29 insertions(+), 17 deletions(-)
*** Bug 1263443 has been marked as a duplicate of this bug. ***
New commit detected on ManageIQ/manageiq/master: https://github.com/ManageIQ/manageiq/commit/e0f557122947b400450b30af57cca1ab68fe45a3 commit e0f557122947b400450b30af57cca1ab68fe45a3 Author: Harpreet Kataria <hkataria> AuthorDate: Wed Aug 26 12:29:28 2015 -0400 Commit: Harpreet Kataria <hkataria> CommitDate: Tue Sep 22 17:35:36 2015 -0400 Further changes to move vm* rules out to be independent features. - Added spec tests to verify RBAC features tree is built successfully and contains All VMand Instance Access Rules. - Added spec test to verify that vm_scan button is hidden for user that only has access to explorer feature, and is available to user that is allowed access to vm_scan feature https://bugzilla.redhat.com/show_bug.cgi?id=1247375 app/controllers/ops_controller/ops_rbac.rb | 12 +- app/controllers/ops_controller/rbac_tree.rb | 10 +- db/fixtures/miq_product_features.yml | 2179 ++++++++++---------- spec/controllers/ops_controller/rbac_tree_spec.rb | 24 + .../application_helper/toolbar_builder_spec.rb | 28 + 5 files changed, 1151 insertions(+), 1102 deletions(-) create mode 100644 spec/controllers/ops_controller/rbac_tree_spec.rb
New commit detected on ManageIQ/manageiq/master: https://github.com/ManageIQ/manageiq/commit/b29dac240119f09a56500fa2506fd97339ef830d commit b29dac240119f09a56500fa2506fd97339ef830d Author: h-kataria <hkataria> AuthorDate: Wed Aug 5 04:53:51 2015 -0400 Commit: Harpreet Kataria <hkataria> CommitDate: Tue Sep 22 17:35:36 2015 -0400 Initial work on introducing a special subtree for certain RBAC features. https://bugzilla.redhat.com/show_bug.cgi?id=1247375 app/controllers/ops_controller/ops_rbac.rb | 87 +------------------- app/controllers/ops_controller/rbac_tree.rb | 121 ++++++++++++++++++++++++++++ 2 files changed, 122 insertions(+), 86 deletions(-) create mode 100644 app/controllers/ops_controller/rbac_tree.rb
New commit detected on ManageIQ/manageiq/master: https://github.com/ManageIQ/manageiq/commit/aa43f6918353cc078e47132a0066bfcdeaa20e4e commit aa43f6918353cc078e47132a0066bfcdeaa20e4e Author: Harpreet Kataria <hkataria> AuthorDate: Wed Aug 26 13:44:49 2015 -0400 Commit: Harpreet Kataria <hkataria> CommitDate: Tue Sep 22 17:37:30 2015 -0400 Added "all_vm_rules" feature to OOTB roles - Fixed product features count in spec test - Addressed some of the rubocop comments https://bugzilla.redhat.com/show_bug.cgi?id=1247375 app/controllers/ops_controller/rbac_tree.rb | 24 +++++++++++----------- db/fixtures/miq_user_roles.yml | 11 ++++++++++ .../application_helper/toolbar_builder_spec.rb | 6 +++--- spec/models/miq_product_feature_spec.rb | 2 +- 4 files changed, 27 insertions(+), 16 deletions(-)
This fix needs to be tested thoroughly as this has a migration. VM/Instance related Access rules are moved to separate node under All VM and Instance Access Rules in the Access Control tree. Need to test existing roles that had access VM access rules to make sure they are migrated properly and continue to work properly. Also should add new roles with VM Access rules features and test the fix to verify all areas are working fine and honoring VM access rules.
Tested version: 5.5.0.9-beta2.20151102161742_5530c9a
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2015:2551
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days