Bug 1411477 - Heat Template provisioning does not honor Tagging filtering
Summary: Heat Template provisioning does not honor Tagging filtering
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Provisioning
Version: 5.5.0
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: GA
: 5.7.2
Assignee: mkanoor
QA Contact: Shveta
URL:
Whiteboard: openstack:provision:tag:filter
Depends On: 1306274
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-09 19:54 UTC by Satoe Imaishi
Modified: 2017-04-12 14:33 UTC (History)
8 users (show)

Fixed In Version: 5.7.1.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1306274
Environment:
Last Closed: 2017-04-12 14:33:56 UTC
Category: ---
Cloudforms Team: ---
Target Upstream Version:


Attachments (Terms of Use)
all tenants (96.45 KB, image/png)
2017-01-27 04:19 UTC, Shveta
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0898 0 normal SHIPPED_LIVE Moderate: cfme, cfme-appliance, and cfme-gemset security, bug fix, and enhancement update 2017-04-12 18:31:08 UTC

Comment 2 CFME Bot 2017-01-09 20:00:50 UTC
New commit detected on ManageIQ/manageiq/euwe:
https://github.com/ManageIQ/manageiq/commit/c180299f056015b1d11e0ec6a1ce82db95493ad4

commit c180299f056015b1d11e0ec6a1ce82db95493ad4
Author:     Greg McCullough <gmccullo@redhat.com>
AuthorDate: Mon Dec 5 09:59:53 2016 -0500
Commit:     Satoe Imaishi <simaishi@redhat.com>
CommitDate: Mon Jan 9 14:55:41 2017 -0500

    Merge pull request #12369 from mkanoor/rbac_tres
    
    RBAC support for Automate Service Models
    (cherry picked from commit b2cd6253905150f3a72d6da98cf0a1b3d8dc91b3)
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1411477

 .../engine/drb_remote_invoker.rb                   | 11 +++
 lib/miq_automation_engine/engine/miq_ae_service.rb |  5 ++
 .../engine/miq_ae_service/miq_ae_service_rbac.rb   | 47 ++++++++++++
 .../engine/miq_ae_service_model_base.rb            |  9 ++-
 .../engine/miq_ae_workspace.rb                     | 28 +++++++
 .../engine/drb_remote_invoker_spec.rb              |  4 +-
 .../engine/miq_ae_method_spec.rb                   |  3 +
 .../miq_ae_service/miq_ae_service_rbac_spec.rb     | 87 ++++++++++++++++++++++
 .../miq_automation_engine/miq_ae_service_spec.rb   | 13 +++-
 9 files changed, 201 insertions(+), 6 deletions(-)
 create mode 100644 lib/miq_automation_engine/engine/miq_ae_service/miq_ae_service_rbac.rb
 create mode 100644 spec/lib/miq_automation_engine/engine/miq_ae_service/miq_ae_service_rbac_spec.rb

Comment 3 mkanoor 2017-01-11 14:40:31 UTC
Fixed via https://github.com/ManageIQ/manageiq/pull/12369 which has been back ported to EUWE

Comment 4 Shveta 2017-01-27 04:19:05 UTC
Created attachment 1244936 [details]
all tenants

Comment 5 Shveta 2017-01-27 04:19:42 UTC
All tenants are shown not just the tagged one .
Please check https://10.8.199.137.
User :shveta/redhat

Comment 6 mkanoor 2017-02-15 21:51:40 UTC
This is not supposed to work out of the box.
RBAC is an optional feature and needs to be enabled in Automate methods to filter out items based on the current tenant.

In the Automate method if you want to enable RBAC you would have to use

$evm.enable_rbac

If we enable RBAC by default a lot of customer defined automate method could start to fail. At some later release we will enable RBAC by default.

Comment 7 Shveta 2017-02-18 00:58:13 UTC
Method used 
=====================
#
# Description: provide the dynamic list content from available tenants
#
stack_list = {nil => "<default>"}

$evm.enable_rbac

$evm.vmdb('orchestration_stack').all do |os|
  stack_list[os.id] = os.name
end

dialog_field = $evm.object

# sort_by: value / description / none
dialog_field["sort_by"] = "description"

# sort_order: ascending / descending
dialog_field["sort_order"] = "ascending"

# data_type: string / integer
dialog_field["data_type"] = "string"

# required: true / false
dialog_field["required"] = "false"

dialog_field["values"] = stack_list
dialog_field["default_value"] = nil

================================

1) Created a dialog that uses the above method.
2) Created Two tenants :tenant_1 and tenant2 . 
3) Login with tenant_1 (risha/redhat) , Order catalogitem 'tenancy' the dropdown does not show stacks for tenant_1 

Appliance :  https://10.8.199.189

Comment 8 Shveta 2017-02-20 22:55:55 UTC
Not working with VM's .
==================Method used===================
#
# Description: provide the dynamic list content from available tenants
#
vm_list = {nil => "<default>"}

$evm.enable_rbac

$evm.log(:info, "VM List")
all_vms = $evm.vmdb('vm').all
$evm.log(:info, "Count #{all_vms.count}")
all_vms.each do |item|
  $evm.log(:info, "item #{item.inspect}")
  #vm_list[item.id] = item.name
end

dialog_field = $evm.object

# sort_by: value / description / none
dialog_field["sort_by"] = "description"

# sort_order: ascending / descending
dialog_field["sort_order"] = "ascending"

# data_type: string / integer
dialog_field["data_type"] = "string"

# required: true / false
dialog_field["required"] = "false"

dialog_field["values"] = vm_list
dialog_field["default_value"] = nil

Comment 9 mkanoor 2017-02-20 22:56:29 UTC
There seems to be a bug in RBAC, when we enable RBAC using
$evm.enable_rbac

We get a RBAC error
<code: credentials.each do |item|>:38:in `fetch_list_data'
<code: fill_dialog_field(fetch_list_data)>:18:in `main'
[----] E, [2017-02-20T16:53:38.087908 #5140:3fe5a4f8baf0] ERROR -- : Method STDERR: (druby://127.0.0.1:54665) /Users/xxxxx/devsrc/manageiq/lib/rbac/filterer.rb:201:in `collect': undefined method `id' for "bd-test-change":String (NoMethodError)
[----] E, [2017-02-20T16:53:38.088394 #5140:3fe5a4f8baf0] ERROR -- : Method STDERR:   from (druby://127.0.0.1:54665) /Users/xxxx/devsrc/manageiq/lib/rbac/filterer.rb:201:in `search'

The sample Automate method looks like

$evm.enable_rbac
all_vms = $evm.vmdb('vm').all
all_vms.each do |item|
  vm_list[item.id] = item.name
end


When we iterate over each item it blows up

Comment 12 Shveta 2017-02-22 22:24:44 UTC
Sure , no problem . 
I will look into it when it comes to ON_QA now.

Comment 14 mkanoor 2017-03-14 15:12:27 UTC
Hi Shevta,
https://bugzilla.redhat.com/show_bug.cgi?id=1431822

Addresses the concerns in this ticket.
I have create a PR for it which has been merged.
In the next build you should be able to validate this ticket.

Thanks,
Madhu

Comment 15 mkanoor 2017-03-16 14:25:45 UTC
The PR for https://bugzilla.redhat.com/show_bug.cgi?id=1431822 has been merged please retest

Comment 16 Shveta 2017-03-20 21:45:38 UTC
Verification steps :
=======================
Method :
#
# Description: provide the dynamic list content from available tenants
#
vm_list = {nil => "<default>"}

$evm.enable_rbac

$evm.log(:info, "VM List")
all_vms = $evm.vmdb('vm').all
$evm.log(:info, "Count #{all_vms.count}")
all_vms.each do |item|
  $evm.log(:info, "item #{item.inspect}")
  vm_list[item.id] = item.name
end

dialog_field = $evm.object

# sort_by: value / description / none
dialog_field["sort_by"] = "description"

# sort_order: ascending / descending
dialog_field["sort_order"] = "ascending"

# data_type: string / integer
dialog_field["data_type"] = "string"

# required: true / false
dialog_field["required"] = "false"

dialog_field["values"] = vm_list
dialog_field["default_value"] = nil

================================
Create a tenant and a user assigned to that tenant. 
Create a dialog using above method .Call the dialog in a catalog item.
User should see VM's owned by this tenant in dropdown list .

Comment 17 Shveta 2017-03-23 05:24:34 UTC
Verified in 5.7.2.0.20170321181409_349f1b1

Comment 19 errata-xmlrpc 2017-04-12 14:33:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:0898


Note You need to log in before you can comment on or make changes to this bug.