Description of problem:
The Tenancy model correctly limits the view of the tenant user under the Compute menu to only see VMs in that Tenant. However, the Widgets on the dashboard show all workloads; the view does not differ from SuperAdmin.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create a bunch of VMs as SuperAdmin
2.Create a Tenant, and an appropriate role, user, and group.
3. Log in as the new tenant user and deploy some virtual machines
4. View all virtual machines under the Compute menu. Only the machines that were deployed by the tenant user are visible.
5. Observe the Dashboard once the data are populated.
The widgets (and obviously the reports the widgets are based on) show information for all workloads, including those outside of the tenant, even those that existed before the tenant was even created. For example, the top cpu consumers show VMs that were deployed as SuperAdmin.
Reporting data should be limited to the data that the tenant is permitted to see in the same manner the full list of workloads is limited.
This has particular significance for our service provider/hosting customers, who may want to use tenancy to compartmentalize two customers. Showing customers information about other customers' infrastructure is obviously an issue.
Created attachment 1247585 [details]
Tenant User A Dashboard
Created attachment 1247586 [details]
Super admin dashboard
This seems to be working properly. I tried to recreate the reported issue however, the widgets for a user that is a member of a group that belongs to a child tenant of the default tenant saw no VMs on his dashboard widgets. The RBAC of the group in the child tenant was used while generating widgets for users of that group.
I performed the following steps -
1. As super admin, added a new provider and did a refresh. All inventory created was assigned to the default tenant.
2. As super admin, created a new tenant named "Tenant A".
3. As super admin, created a new group named "Tenant A Group" belonging to tenant "Tenant A". Assigned the role "EvmRole-user" to the new group.
4. As super admin, created a new user named "Tenant a User" and assigned him to group "Tenant A Group".
5. Logged in as "Tenant A User" and observed that no VMs were visible on any widgets. (See first attachment)
6. As super admin, observed VMs appearing on widgets. (See second attachment)
Not my ticket originally and I haven't reproduced on 4.2, but in 4.1 I am seeing this behavior and I could not find a BZ reporting the problem.
Some reports like User Accounts - Linux seem to filter correctly.
Host Summary with VM info is showing my sub tenant all of the VMs on the system. Even for peer tenants.
The report VM Disk usage is showing me 6/8 VMs, none of which are owned by my subtenant, but interestingly I am not seeing the VM that is a part of my tenant org.
Due to some PII concerns, I had to unfortunately upload the example screenshots as private, but take a look at the two images. The first shows the Operations tenant member's view under Compute/Infrastructure/Virtual Machines. We see what we should, only what we've provisioned.
The second shows the dashboard. I've seen this manifest in different ways, but in this example, notice what the user can see under EVM: Recently Discovered VMs. He can see his two VMs, some VMs that were provisioned by Admin before the tenant even existed, and VMs belonging to another Tenant, Consulting.
Does this accurately demonstrate the issue?
It looks like it may be the reports based upon "Performance - VMs" that are not filtering by tenant.