Bug 1433084 - Policy to exclude a VM from analysis shows as false but scanning is still happening
Summary: Policy to exclude a VM from analysis shows as false but scanning is still hap...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Control
Version: 5.7.0
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: GA
: 5.8.0
Assignee: Lucy Fu
QA Contact: Dmitry Misharov
URL:
Whiteboard:
Depends On:
Blocks: 1433435 1434965
TreeView+ depends on / blocked
 
Reported: 2017-03-16 18:15 UTC by Jared Deubel
Modified: 2020-04-15 15:30 UTC (History)
7 users (show)

Fixed In Version: 5.8.0.7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1433435 1434965 (view as bug list)
Environment:
Last Closed: 2017-06-12 17:10:05 UTC
Category: ---
Cloudforms Team: ---
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
1 (18.69 KB, image/png)
2017-03-16 18:15 UTC, Jared Deubel 		no flags Details
View All

Description Jared Deubel 2017-03-16 18:15:31 UTC 
Created attachment 1263823 [details]
1

Description of problem:
When setting up a policy that will exclude a VM from being analyzed the simulation shows that the condition is true, but the actual execution of the analysis shows the condition as false and the analysis continues. I have attached some screenshots of the policy, the exclusion tag the simulation and the execution. Also I attached logs from the worker that ran the smartstate analysis.

Version-Release number of selected component (if applicable):
5.7
Comment 2 myoder 2017-03-16 19:04:20 UTC 
I have a similar case hitting this issue too.  The control policy worked for 3.2, but does not appear to be working for 4.1 or 4.2.  I will attach the policy and the policy.log to the case.
Comment 5 CFME Bot 2017-03-16 22:21:39 UTC 
https://github.com/ManageIQ/manageiq/pull/14370
Comment 6 CFME Bot 2017-03-17 16:01:37 UTC 
New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/dc64ef6e88ac43c49b97277498b20161d9b8f68e

commit dc64ef6e88ac43c49b97277498b20161d9b8f68e
Author:     Lucy Fu <lufu>
AuthorDate: Thu Mar 16 18:09:55 2017 -0400
Commit:     Lucy Fu <lufu>
CommitDate: Fri Mar 17 08:38:55 2017 -0400

    Add the logic to allow a policy to prevent request_vm_scan.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1433084

 app/models/vm_or_template/scanning.rb | 28 +++++++++++-----------------
 spec/models/vm_scan_spec.rb           | 17 ++++++++++++++---
 spec/models/vm_spec.rb                | 35 +++++++++++++++++++++++++++++++++++
 3 files changed, 60 insertions(+), 20 deletions(-)
Comment 7 CFME Bot 2017-03-17 16:01:42 UTC 
New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/89b85a7505e7c945f14fbe5caf4beacd85bc77cc

commit 89b85a7505e7c945f14fbe5caf4beacd85bc77cc
Author:     Lucy Fu <lufu>
AuthorDate: Fri Mar 17 08:25:17 2017 -0400
Commit:     Lucy Fu <lufu>
CommitDate: Fri Mar 17 09:11:49 2017 -0400

    Call vm.raw_scan to bypass checking the prevent policy.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1433084

 spec/models/job_proxy_dispatcher_embedded_scan_spec.rb   |  2 +-
 ...proxy_dispatcher_get_eligible_proxies_for_job_spec.rb |  2 +-
 spec/models/job_proxy_dispatcher_spec.rb                 | 16 ++++++++--------
 spec/models/job_proxy_dispatcher_vm_proxies4job_spec.rb  |  2 +-
 spec/models/job_spec.rb                                  |  4 ++--
 5 files changed, 13 insertions(+), 13 deletions(-)
Comment 12 Dmitry Misharov 2017-03-23 09:16:04 UTC 
Verified in 5.8.0.7.20170321164727_1c97ccd. I created policy which prevents analysis of any VM that is tagged as Do Not Analyze. It works correctly for a vm which was tagged "Do Not Analyze".
Note You need to log in before you can comment on or make changes to this bug.