1296671 – role VM/Template access restriction prevents service catalogs from being displayed when user group has no filtering set

Bug 1296671 - role VM/Template access restriction prevents service catalogs from being displayed when user group has no filtering set

Summary: role VM/Template access restriction prevents service catalogs from being disp...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat CloudForms Management Engine
Classification:	Red Hat
Component:	UI - OPS
Sub Component:
Version:	5.5.0
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	high
Target Milestone:	GA
Target Release:	5.6.0
Assignee:	Libor Pichler
QA Contact:	Shveta
Docs Contact:
URL:
Whiteboard:	service:rbac
Duplicates (1):	1341175 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-01-07 19:35 UTC by Josh Carter
Modified:	2019-11-14 07:18 UTC (History)
CC List:	10 users (show)
Fixed In Version:	5.6.0.8
Doc Type:	Bug Fix
Doc Text:	Previously, users without group level filtering set could not see service catalogs based off a template that the user had group ownership of. This occurred because the ServiceTemplate (service catalog menu) model used by CloudForms does not use tags, managed filters or group and user/tenant ownership. This was fixed by removing ServiceTemplate from the direct RBAC. As a result, the user can now see all service templates related to their current tenant and parent tenants.
Clone Of:
Environment:
Last Closed:	2016-06-29 15:26:10 UTC
Category:	---
Cloudforms Team:	---
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:1348	0	normal	SHIPPED_LIVE	CFME 5.6.0 bug fixes and enhancement update	2016-06-29 18:50:04 UTC

Description Josh Carter 2016-01-07 19:35:49 UTC

Description of problem:

A user with no group level filtering but role level filtering set to "Only User or Group Owned" is unable to see 
a service catalog that is based off a template that the user has group ownership of. 


Version-Release number of selected component (if applicable): 5.5.0


How reproducible:


Steps to Reproduce:
0. Login by admin
1. Configure -> Configuration -> Access Control -> Tenant -> Select ‘My Company’
    Configuration -> Add Child Tenant to this Tenant  — create new tenant
2. Configure -> Configuration -> Access Control -> Roles
    Configuration -> Add new Role    
    Then In the Role information area,  set a value ‘Only User or Group Owned’ in the ‘VM and Template Access Restriction’. — create new role
3. Configure -> Configuration -> Access Control -> Select group
    Configuration -> Add new Group — create new group
    Then, Role = select created role in step2 and Project/Tenant = select created tenant in step1
4. Configure -> Configuration -> Access Control -> Select user
    Configuration -> Add new User — create new user
    Then, Group = select created group in step3
5. Infrastructure -> VM Machine -> select template
    Configuration -> Set Ownership
    Group = select created group in step3
6. Create service catalog menu by using template in step5
7.  Logout admin then Login by created user in step4
8. Infrastructure -> VM Machine
    - Please confirm template is available
    Service Catalog -> Service
    - Please confirm service menu is unavailable

Actual results:


Expected results:


Additional info:

Comment 2 CFME Bot 2016-01-26 17:06:29 UTC

https://github.com/ManageIQ/manageiq/pull/6347

Comment 3 CFME Bot 2016-01-29 16:06:00 UTC

New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/767833ab472a75e783ffcebb5623060cc914887c

commit 767833ab472a75e783ffcebb5623060cc914887c
Author:     lpichler <lpichler>
AuthorDate: Tue Jan 26 16:14:45 2016 +0100
Commit:     lpichler <lpichler>
CommitDate: Fri Jan 29 11:45:18 2016 +0100

    Removing ServiceTemplate from direct RBAC
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1296671
    we are not using belongs to and managed filters, group and user/tenant ownership(it is not presented in UI),
    neither tags(ServiceTemplate model is not taggable)

 app/models/rbac.rb | 1 -
 1 file changed, 1 deletion(-)

Comment 4 Libor Pichler 2016-01-29 16:08:18 UTC

Expected results slightly changed:
In scenario from BZ we should see all service templates which are related to current tenant and parent's tenants (#4425) (not just ServiceTemplate (service catalog menu) based on template as decribed in BZ)

Comment 5 Shveta 2016-04-19 01:06:41 UTC

Fixed.
Verified in 5.6.0.1-beta2.20160413141124_e25ac0e

Comment 6 Libor Pichler 2016-05-26 08:09:19 UTC

It was working before as we expected so this PR is reverting changes
https://github.com/ManageIQ/manageiq/pull/8890

In this PR is description how it should works for non-self-service-users and self-service-users

Comment 7 Libor Pichler 2016-06-02 09:33:38 UTC

*** Bug 1341175 has been marked as a duplicate of this bug. ***

Comment 8 Shveta 2016-06-03 21:18:40 UTC

User can see the template but the catalog item.

Comment 9 Shveta 2016-06-03 21:28:33 UTC

User can see catalog item too .
Verified

Comment 11 errata-xmlrpc 2016-06-29 15:26:10 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1348

Note You need to log in before you can comment on or make changes to this bug.