Bug 1306274 - Heat Template provisioning does not honor Tagging filtering
Heat Template provisioning does not honor Tagging filtering
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Provisioning (Show other bugs)
Unspecified Unspecified
medium Severity low
: GA
: 5.8.0
Assigned To: mkanoor
: TestOnly, ZStream
Depends On:
Blocks: 1411477
  Show dependency treegraph
Reported: 2016-02-10 08:20 EST by Loic Avenel
Modified: 2017-06-12 12:27 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1411477 (view as bug list)
Last Closed: 2017-06-12 12:27:03 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Loic Avenel 2016-02-10 08:20:19 EST
Description of problem: When provisionning an Heat Template, Service Dialog offers list of all tenants even if my user has filter by tag set on restricted list of tenants

Version-Release number of selected component (if applicable): CF 4.0

How reproducible:

Steps to Reproduce:
1. Create a Heat Template and associated service
2. Create a user with a tag as assigned filter in Group 
3. Tag few tenante with the same tag
4. try to deploy the Heat Template Service

Actual results:

All tenants are visible

Expected results:

Only tenants filtered by tag should be available.

Additional info:

Possible workaround tobay by updating methods:
Comment 3 Greg McCullough 2016-02-11 09:38:19 EST
Heat templates allow for the selection of the OpenStack tenant to provision into which uses a dynamic dialog.  Automate is currently not restricted to RBAC so the dynamic method is exposing all instances.  Need to review further.
Comment 4 Greg McCullough 2016-02-17 10:10:15 EST
Madhu - Heat templates provisioning is through Service dialogs which use dynamic automate methods.  If we are not enforcing RBAC throughout the entire automate process (due to current status of the tenancy project) it would still be useful to allow callers to apply filtering to objects manually from within certain scripts.

For example, we could expose a method like $vmdb.rbac(<object/object_array>) that would be used in the use case described in this issue to further filter the available objects based on the active user/group/tenant.

Let's discuss any other possible solutions.
Comment 7 CFME Bot 2016-10-20 17:06:14 EDT
New commit detected on ManageIQ/manageiq/master:

commit ca856952a8e5258a0348ce9d10bce9599b106aa6
Author:     Madhu Kanoor <mkanoor@redhat.com>
AuthorDate: Tue Sep 27 15:39:45 2016 -0400
Commit:     Madhu Kanoor <mkanoor@redhat.com>
CommitDate: Thu Oct 20 12:02:56 2016 -0400

    RBAC for service models
    Filters service model objects based on the current user passed into

 lib/miq_automation_engine/engine/miq_ae_service.rb |  3 +
 .../engine/miq_ae_service/miq_ae_service_rbac.rb   | 53 +++++++++++++
 .../engine/miq_ae_service_model_base.rb            | 10 ++-
 .../engine/miq_ae_workspace.rb                     | 28 +++++++
 .../engine/drb_remote_invoker_spec.rb              |  4 +-
 .../engine/miq_ae_method_spec.rb                   |  3 +
 .../engine/miq_ae_service_rbac_spec.rb             | 87 ++++++++++++++++++++++
 .../miq_automation_engine/miq_ae_service_spec.rb   | 12 ++-
 8 files changed, 194 insertions(+), 6 deletions(-)
 create mode 100644 lib/miq_automation_engine/engine/miq_ae_service/miq_ae_service_rbac.rb
 create mode 100644 spec/lib/miq_automation_engine/engine/miq_ae_service_rbac_spec.rb
Comment 11 Shveta 2017-04-27 18:21:18 EDT
Fixed .
Verified in

Note You need to log in before you can comment on or make changes to this bug.