Red Hat Bugzilla – Bug 1411477
Heat Template provisioning does not honor Tagging filtering
Last modified: 2017-04-12 10:33:56 EDT
New commit detected on ManageIQ/manageiq/euwe: https://github.com/ManageIQ/manageiq/commit/c180299f056015b1d11e0ec6a1ce82db95493ad4 commit c180299f056015b1d11e0ec6a1ce82db95493ad4 Author: Greg McCullough <gmccullo@redhat.com> AuthorDate: Mon Dec 5 09:59:53 2016 -0500 Commit: Satoe Imaishi <simaishi@redhat.com> CommitDate: Mon Jan 9 14:55:41 2017 -0500 Merge pull request #12369 from mkanoor/rbac_tres RBAC support for Automate Service Models (cherry picked from commit b2cd6253905150f3a72d6da98cf0a1b3d8dc91b3) https://bugzilla.redhat.com/show_bug.cgi?id=1411477 .../engine/drb_remote_invoker.rb | 11 +++ lib/miq_automation_engine/engine/miq_ae_service.rb | 5 ++ .../engine/miq_ae_service/miq_ae_service_rbac.rb | 47 ++++++++++++ .../engine/miq_ae_service_model_base.rb | 9 ++- .../engine/miq_ae_workspace.rb | 28 +++++++ .../engine/drb_remote_invoker_spec.rb | 4 +- .../engine/miq_ae_method_spec.rb | 3 + .../miq_ae_service/miq_ae_service_rbac_spec.rb | 87 ++++++++++++++++++++++ .../miq_automation_engine/miq_ae_service_spec.rb | 13 +++- 9 files changed, 201 insertions(+), 6 deletions(-) create mode 100644 lib/miq_automation_engine/engine/miq_ae_service/miq_ae_service_rbac.rb create mode 100644 spec/lib/miq_automation_engine/engine/miq_ae_service/miq_ae_service_rbac_spec.rb
Fixed via https://github.com/ManageIQ/manageiq/pull/12369 which has been back ported to EUWE
Created attachment 1244936 [details] all tenants
All tenants are shown not just the tagged one . Please check https://10.8.199.137. User :shveta/redhat
This is not supposed to work out of the box. RBAC is an optional feature and needs to be enabled in Automate methods to filter out items based on the current tenant. In the Automate method if you want to enable RBAC you would have to use $evm.enable_rbac If we enable RBAC by default a lot of customer defined automate method could start to fail. At some later release we will enable RBAC by default.
Method used ===================== # # Description: provide the dynamic list content from available tenants # stack_list = {nil => "<default>"} $evm.enable_rbac $evm.vmdb('orchestration_stack').all do |os| stack_list[os.id] = os.name end dialog_field = $evm.object # sort_by: value / description / none dialog_field["sort_by"] = "description" # sort_order: ascending / descending dialog_field["sort_order"] = "ascending" # data_type: string / integer dialog_field["data_type"] = "string" # required: true / false dialog_field["required"] = "false" dialog_field["values"] = stack_list dialog_field["default_value"] = nil ================================ 1) Created a dialog that uses the above method. 2) Created Two tenants :tenant_1 and tenant2 . 3) Login with tenant_1 (risha/redhat) , Order catalogitem 'tenancy' the dropdown does not show stacks for tenant_1 Appliance : https://10.8.199.189
Not working with VM's . ==================Method used=================== # # Description: provide the dynamic list content from available tenants # vm_list = {nil => "<default>"} $evm.enable_rbac $evm.log(:info, "VM List") all_vms = $evm.vmdb('vm').all $evm.log(:info, "Count #{all_vms.count}") all_vms.each do |item| $evm.log(:info, "item #{item.inspect}") #vm_list[item.id] = item.name end dialog_field = $evm.object # sort_by: value / description / none dialog_field["sort_by"] = "description" # sort_order: ascending / descending dialog_field["sort_order"] = "ascending" # data_type: string / integer dialog_field["data_type"] = "string" # required: true / false dialog_field["required"] = "false" dialog_field["values"] = vm_list dialog_field["default_value"] = nil
There seems to be a bug in RBAC, when we enable RBAC using $evm.enable_rbac We get a RBAC error <code: credentials.each do |item|>:38:in `fetch_list_data' <code: fill_dialog_field(fetch_list_data)>:18:in `main' [----] E, [2017-02-20T16:53:38.087908 #5140:3fe5a4f8baf0] ERROR -- : Method STDERR: (druby://127.0.0.1:54665) /Users/xxxxx/devsrc/manageiq/lib/rbac/filterer.rb:201:in `collect': undefined method `id' for "bd-test-change":String (NoMethodError) [----] E, [2017-02-20T16:53:38.088394 #5140:3fe5a4f8baf0] ERROR -- : Method STDERR: from (druby://127.0.0.1:54665) /Users/xxxx/devsrc/manageiq/lib/rbac/filterer.rb:201:in `search' The sample Automate method looks like $evm.enable_rbac all_vms = $evm.vmdb('vm').all all_vms.each do |item| vm_list[item.id] = item.name end When we iterate over each item it blows up
Sure , no problem . I will look into it when it comes to ON_QA now.
Hi Shevta, https://bugzilla.redhat.com/show_bug.cgi?id=1431822 Addresses the concerns in this ticket. I have create a PR for it which has been merged. In the next build you should be able to validate this ticket. Thanks, Madhu
The PR for https://bugzilla.redhat.com/show_bug.cgi?id=1431822 has been merged please retest
Verification steps : ======================= Method : # # Description: provide the dynamic list content from available tenants # vm_list = {nil => "<default>"} $evm.enable_rbac $evm.log(:info, "VM List") all_vms = $evm.vmdb('vm').all $evm.log(:info, "Count #{all_vms.count}") all_vms.each do |item| $evm.log(:info, "item #{item.inspect}") vm_list[item.id] = item.name end dialog_field = $evm.object # sort_by: value / description / none dialog_field["sort_by"] = "description" # sort_order: ascending / descending dialog_field["sort_order"] = "ascending" # data_type: string / integer dialog_field["data_type"] = "string" # required: true / false dialog_field["required"] = "false" dialog_field["values"] = vm_list dialog_field["default_value"] = nil ================================ Create a tenant and a user assigned to that tenant. Create a dialog using above method .Call the dialog in a catalog item. User should see VM's owned by this tenant in dropdown list .
Verified in 5.7.2.0.20170321181409_349f1b1
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:0898