Bug 1296671 - role VM/Template access restriction prevents service catalogs from being displayed when user group has no filtering set
role VM/Template access restriction prevents service catalogs from being disp...
Status: CLOSED ERRATA
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: UI - OPS (Show other bugs)
5.5.0
All All
unspecified Severity high
: GA
: 5.6.0
Assigned To: Libor Pichler
Shveta
service:rbac
:
: 1341175 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-07 14:35 EST by Josh Carter
Modified: 2016-06-29 11:26 EDT (History)
10 users (show)

See Also:
Fixed In Version: 5.6.0.8
Doc Type: Bug Fix
Doc Text:
Previously, users without group level filtering set could not see service catalogs based off a template that the user had group ownership of. This occurred because the ServiceTemplate (service catalog menu) model used by CloudForms does not use tags, managed filters or group and user/tenant ownership. This was fixed by removing ServiceTemplate from the direct RBAC. As a result, the user can now see all service templates related to their current tenant and parent tenants.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-06-29 11:26:10 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josh Carter 2016-01-07 14:35:49 EST
Description of problem:

A user with no group level filtering but role level filtering set to "Only User or Group Owned" is unable to see 
a service catalog that is based off a template that the user has group ownership of. 


Version-Release number of selected component (if applicable): 5.5.0


How reproducible:


Steps to Reproduce:
0. Login by admin
1. Configure -> Configuration -> Access Control -> Tenant -> Select ‘My Company’
    Configuration -> Add Child Tenant to this Tenant  — create new tenant
2. Configure -> Configuration -> Access Control -> Roles
    Configuration -> Add new Role    
    Then In the Role information area,  set a value ‘Only User or Group Owned’ in the ‘VM and Template Access Restriction’. — create new role
3. Configure -> Configuration -> Access Control -> Select group
    Configuration -> Add new Group — create new group
    Then, Role = select created role in step2 and Project/Tenant = select created tenant in step1
4. Configure -> Configuration -> Access Control -> Select user
    Configuration -> Add new User — create new user
    Then, Group = select created group in step3
5. Infrastructure -> VM Machine -> select template
    Configuration -> Set Ownership
    Group = select created group in step3
6. Create service catalog menu by using template in step5
7.  Logout admin then Login by created user in step4
8. Infrastructure -> VM Machine
    - Please confirm template is available
    Service Catalog -> Service
    - Please confirm service menu is unavailable

Actual results:


Expected results:


Additional info:
Comment 3 CFME Bot 2016-01-29 11:06:00 EST
New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/767833ab472a75e783ffcebb5623060cc914887c

commit 767833ab472a75e783ffcebb5623060cc914887c
Author:     lpichler <lpichler@redhat.com>
AuthorDate: Tue Jan 26 16:14:45 2016 +0100
Commit:     lpichler <lpichler@redhat.com>
CommitDate: Fri Jan 29 11:45:18 2016 +0100

    Removing ServiceTemplate from direct RBAC
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1296671
    we are not using belongs to and managed filters, group and user/tenant ownership(it is not presented in UI),
    neither tags(ServiceTemplate model is not taggable)

 app/models/rbac.rb | 1 -
 1 file changed, 1 deletion(-)
Comment 4 Libor Pichler 2016-01-29 11:08:18 EST
Expected results slightly changed:
In scenario from BZ we should see all service templates which are related to current tenant and parent's tenants (#4425) (not just ServiceTemplate (service catalog menu) based on template as decribed in BZ)
Comment 5 Shveta 2016-04-18 21:06:41 EDT
Fixed.
Verified in 5.6.0.1-beta2.20160413141124_e25ac0e
Comment 6 Libor Pichler 2016-05-26 04:09:19 EDT
It was working before as we expected so this PR is reverting changes
https://github.com/ManageIQ/manageiq/pull/8890

In this PR is description how it should works for non-self-service-users and self-service-users
Comment 7 Libor Pichler 2016-06-02 05:33:38 EDT
*** Bug 1341175 has been marked as a duplicate of this bug. ***
Comment 8 Shveta 2016-06-03 17:18:40 EDT
User can see the template but the catalog item.
Comment 9 Shveta 2016-06-03 17:28:33 EDT
User can see catalog item too .
Verified
Comment 11 errata-xmlrpc 2016-06-29 11:26:10 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1348

Note You need to log in before you can comment on or make changes to this bug.