This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1302431 - partial inventory when using sub-tenant
partial inventory when using sub-tenant
Status: CLOSED CURRENTRELEASE
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance (Show other bugs)
5.5.0
All All
unspecified Severity medium
: GA
: 5.6.0
Assigned To: Libor Pichler
Pavol Kotvan
tenant
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-27 16:20 EST by Josh Carter
Modified: 2016-11-29 04:25 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-02-29 16:34:12 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josh Carter 2016-01-27 16:20:36 EST
Description of problem:

User that belongs to a group with no filtering and a sub-tenant is only able to see Clusters, Hosts, Resource Pools & Datastores

sub-tenant does not have access to Providers, virtual machines or templates. 

Version-Release number of selected component (if applicable): 5.5.0


How reproducible:
very

Steps to Reproduce:
1. 
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Shveta 2016-02-01 16:32:15 EST
Assigning to add test case
Comment 3 Joe Rafaniello 2016-02-09 15:28:50 EST
Josh, the visibility rules per class is found here:

https://github.com/ManageIQ/manageiq/blob/62477b802b2ea7eead99bd78fdf9cebcc7473702/app/models/rbac.rb#L59-L70

Can you clarify exactly what setup you have in terms of a tree what objects you have, providers/ems/vm/templates and what tenant/group they belong to?

A sub-tenant should only be able to see "ExtManagementSystem", "MiqAeNamespace", "MiqTemplate", "Provider", "ServiceTemplateCatalog", "ServiceTemplate", etc.  (the keys with a value of :ancestor_ids).
Comment 4 Joe Rafaniello 2016-02-09 15:35:45 EST
Of course, the sub-tenant will of course see all of it's own things, but above is for the class of objects owned by a parent tenant that are visible from the child tenant.
Comment 6 Gregg Tanzillo 2016-02-22 14:04:05 EST
Please retest with 5.5.2. There was a fix made to address visibility of templates owned by the parent tenant. Users should be able to see the templates owned by the current tenant and parent tenants only. But, see VMs owned by current tenant and child tenants only.

Note You need to log in before you can comment on or make changes to this bug.