Red Hat Bugzilla – Bug 1283309
Multi-tenancy: Parent tenant cannot view child tenant elements
Last modified: 2016-06-29 11:09:39 EDT
Description of problem: Parent tenant cannot see elements of all child tenants. Administrator of each tenant or child tenant can manage only its own resources. Version-Release number of selected component (if applicable): 5.5.0.9 How reproducible: always Steps to Reproduce: 1. Configure root tenant (gcloud), child tenant smals and onp, create project1 under smals tenant 2. One group is attached to each tenant gcloud-admins -> gcloud smals-admins -> smals onp-admins -> onp project1-admins -> project1 3. Each group has the role EvmRole-super_administrator We took a cloud instance and changed ownership. These are test results of Smals customer, however when I tried to reproduce it, I got different results (marked with PK:): a. Owner Group: "Tenant gcloud access" or "gcloud-admins" => Only member of tenant gcloud can view this instance => OK PK: - OK b. Owner Group: "Tenant gcloud/smals access" or "smals-admins" => Only member of tenant gcloud or tenant smals can view this instance => OK PK: - when owner group is set to "Tenant gcloud/smals access", user belonging to gcloud group cannot see intance. => NOK c. Owner Group: "Tenant gcloud/smals/project1 access" or "project1-admins" => Only member of tenant gcloud or project "project1" can view this instance => NOK PK: When owner group is set to "Tenant gcloud/smals/project1 access" or to "project1-admins", this is what happens: - Member of gcloud group cannot see instance - NOK - Member of smals group cannot see instance - NOK - Member of project1 can see instance - OK Actual results: - Expected results: We expect that members of a parent tenant can interact with resources of a child tenant and that feature seems to be only available to the root tenant. Additional info: Same results when using role "EvmRole-tenant_administrator". It seems that parent tenant cannot manage resource of child tenants.
Triage call decided this is not a block and something we can address in the next z-stream
Created PR: https://github.com/ManageIQ/manageiq/pull/5671
New commit detected on ManageIQ/manageiq/master: https://github.com/ManageIQ/manageiq/commit/068c96899aeda1882fcffa10bd28deb0f535af3d commit 068c96899aeda1882fcffa10bd28deb0f535af3d Author: Gregg Tanzillo <gtanzill@redhat.com> AuthorDate: Tue Dec 1 17:26:12 2015 -0500 Commit: Gregg Tanzillo <gtanzill@redhat.com> CommitDate: Tue Dec 1 17:26:12 2015 -0500 Fixing tenant accessibility for subclassed objects - Accessibility strategy was nil for subclasses of classes listed in TENANT_ACCESS_STRATEGY hash keys - Added call to base_model normalize class name before lookup to ensure it will match the appropriate base class in the hash https://bugzilla.redhat.com/show_bug.cgi?id=1283309 app/models/rbac.rb | 2 +- spec/models/rbac_spec.rb | 20 ++++++++++++++++---- 2 files changed, 17 insertions(+), 5 deletions(-)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1348