Description of problem: When provisionning an Heat Template, Service Dialog offers list of all tenants even if my user has filter by tag set on restricted list of tenants Version-Release number of selected component (if applicable): CF 4.0 How reproducible: Always Steps to Reproduce: 1. Create a Heat Template and associated service 2. Create a user with a tag as assigned filter in Group 3. Tag few tenante with the same tag 4. try to deploy the Heat Template Service Actual results: All tenants are visible Expected results: Only tenants filtered by tag should be available. Additional info: Possible workaround tobay by updating methods: /ManageIQ/Cloud/Orchestration/Operations/Methods/Available_Tenants
Heat templates allow for the selection of the OpenStack tenant to provision into which uses a dynamic dialog. Automate is currently not restricted to RBAC so the dynamic method is exposing all instances. Need to review further.
Madhu - Heat templates provisioning is through Service dialogs which use dynamic automate methods. If we are not enforcing RBAC throughout the entire automate process (due to current status of the tenancy project) it would still be useful to allow callers to apply filtering to objects manually from within certain scripts. For example, we could expose a method like $vmdb.rbac(<object/object_array>) that would be used in the use case described in this issue to further filter the available objects based on the active user/group/tenant. Let's discuss any other possible solutions.
https://github.com/ManageIQ/manageiq/pull/6395
https://github.com/ManageIQ/manageiq/pull/11549
New commit detected on ManageIQ/manageiq/master: https://github.com/ManageIQ/manageiq/commit/ca856952a8e5258a0348ce9d10bce9599b106aa6 commit ca856952a8e5258a0348ce9d10bce9599b106aa6 Author: Madhu Kanoor <mkanoor> AuthorDate: Tue Sep 27 15:39:45 2016 -0400 Commit: Madhu Kanoor <mkanoor> CommitDate: Thu Oct 20 12:02:56 2016 -0400 RBAC for service models Filters service model objects based on the current user passed into Automate. https://bugzilla.redhat.com/show_bug.cgi?id=1306274 https://bugzilla.redhat.com/show_bug.cgi?id=1327725 lib/miq_automation_engine/engine/miq_ae_service.rb | 3 + .../engine/miq_ae_service/miq_ae_service_rbac.rb | 53 +++++++++++++ .../engine/miq_ae_service_model_base.rb | 10 ++- .../engine/miq_ae_workspace.rb | 28 +++++++ .../engine/drb_remote_invoker_spec.rb | 4 +- .../engine/miq_ae_method_spec.rb | 3 + .../engine/miq_ae_service_rbac_spec.rb | 87 ++++++++++++++++++++++ .../miq_automation_engine/miq_ae_service_spec.rb | 12 ++- 8 files changed, 194 insertions(+), 6 deletions(-) create mode 100644 lib/miq_automation_engine/engine/miq_ae_service/miq_ae_service_rbac.rb create mode 100644 spec/lib/miq_automation_engine/engine/miq_ae_service_rbac_spec.rb
https://github.com/ManageIQ/manageiq/pull/12070
https://github.com/ManageIQ/manageiq/pull/12530
Fixed . Verified in 5.8.0.12-rc1.20170425180304_4f35996