Bug 1418961 - Dashbord and Report information not filtered by Tenancy
Summary: Dashbord and Report information not filtered by Tenancy
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Reporting
Version: 5.7.0
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: GA
: 5.8.0
Assignee: Libor Pichler
QA Contact: Pavol Kotvan
URL:
Whiteboard: tenant:report
Depends On:
Blocks: 1431168 1432198
TreeView+ depends on / blocked
 
Reported: 2017-02-03 09:34 UTC by Krain Arnold
Modified: 2020-06-11 13:16 UTC (History)
12 users (show)

Fixed In Version: 5.8.0.6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1431168 1432198 (view as bug list)
Environment:
Last Closed: 2017-06-12 16:17:52 UTC
Category: ---
Cloudforms Team: ---
Target Upstream Version:


Attachments (Terms of Use)
Tenant User A Dashboard (127.30 KB, image/png)
2017-02-03 22:11 UTC, Gregg Tanzillo
no flags Details
Super admin dashboard (471.50 KB, image/png)
2017-02-03 22:11 UTC, Gregg Tanzillo
no flags Details

Description Krain Arnold 2017-02-03 09:34:05 UTC
Description of problem:
The Tenancy model correctly limits the view of the tenant user under the Compute menu to only see VMs in that Tenant. However, the Widgets on the dashboard show all workloads; the view does not differ from SuperAdmin.

Version-Release number of selected component (if applicable):
4.2

How reproducible:
100%

Steps to Reproduce:
1. Create a bunch of VMs as SuperAdmin
2.Create a Tenant, and an appropriate role, user, and group.
3. Log in as the new tenant user and deploy some virtual machines
4. View all virtual machines under the Compute menu. Only the machines that were deployed by the tenant user are visible.
5. Observe the Dashboard once the data are populated. 

Actual results:
The widgets (and obviously the reports the widgets are based on) show information for all workloads, including those outside of the tenant, even those that existed before the tenant was even created. For example, the top cpu consumers show VMs that were deployed as SuperAdmin.

Expected results:
Reporting data should be limited to the data that the tenant is permitted to see in the same manner the full list of workloads is limited.

Additional info:
This has particular significance for our service provider/hosting customers, who may want to use tenancy to compartmentalize two customers. Showing customers information about other customers' infrastructure is obviously an issue.

Comment 2 Gregg Tanzillo 2017-02-03 22:11:07 UTC
Created attachment 1247585 [details]
Tenant User A Dashboard

Comment 3 Gregg Tanzillo 2017-02-03 22:11:45 UTC
Created attachment 1247586 [details]
Super admin dashboard

Comment 4 Gregg Tanzillo 2017-02-03 22:16:44 UTC
This seems to be working properly. I tried to recreate the reported issue however, the widgets for a user that is a member of a group that belongs to a child tenant of the default tenant saw no VMs on his dashboard widgets. The RBAC of the group in the child tenant was used while generating widgets for users of that group.

I performed the following steps -
1. As super admin, added a new provider and did a refresh. All inventory created was assigned to the default tenant.
2. As super admin, created a new tenant named "Tenant A".
3. As super admin, created a new group named "Tenant A Group" belonging to tenant "Tenant A". Assigned the role "EvmRole-user" to the new group.
4. As super admin, created a new user named "Tenant a User" and assigned him to group "Tenant A Group".
5. Logged in as "Tenant A User" and observed that no VMs were visible on any widgets. (See first attachment)
6. As super admin, observed VMs appearing on widgets. (See second attachment)

Comment 5 Eric Wannemacher 2017-02-16 18:55:19 UTC
Not my ticket originally and I haven't reproduced on 4.2, but in 4.1 I am seeing this behavior and I could not find a BZ reporting the problem.

Some reports like User Accounts - Linux seem to filter correctly.

Host Summary with VM info is showing my sub tenant all of the VMs on the system. Even for peer tenants.

The report VM Disk usage is showing me 6/8 VMs, none of which are owned by my subtenant, but interestingly I am not seeing the VM that is a part of my tenant org.

Comment 8 Krain Arnold 2017-02-17 10:52:07 UTC
Due to some PII concerns, I had to unfortunately upload the example screenshots as private, but take a look at the two images. The first shows the Operations tenant member's view under Compute/Infrastructure/Virtual Machines. We see what we should, only what we've provisioned.

The second shows the dashboard. I've seen this manifest in different ways, but in this example, notice what the user can see under EVM: Recently Discovered VMs. He can see his two VMs, some VMs that were provisioned by Admin before the tenant even existed, and VMs belonging to another Tenant, Consulting. 

Does this accurately demonstrate the issue?

Comment 9 Eric Wannemacher 2017-02-17 20:48:25 UTC
It looks like it may be the reports based upon "Performance - VMs" that are not filtering by tenant.


Note You need to log in before you can comment on or make changes to this bug.