Description of problem: Dialog for creating cloud volumes (cinder provider) does not filter cloud tenants for user. In this way users can create storage volumes in any tenant. Not only in their own tenant. User can select any cloud tenant placement , not just only his own tenant ,when "Add new cloud volume" Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Create more user ,each with tenant 2. Add new cloud volume 3. Select any tenant from placemant list Actual results: Not Filter tenant. Expected results: Filter tenant. Additional info:
Hi Guys. I found that the problem has much greater coverage. The user can perform any operation on the cloud volumes from other tenants. Apparently the limitations of the tenants do not work for Storage Providers. The user can create, attach, and detach any cloud volume from/to any instances in the cloud (openstack) provider. Not only in his own tenant. In this case, I have to completely turn off this functionality (cloud volumes management by CFME users) to avoid data loss.
CVE assigned, do we have an ETA on when we can fix this?
In the environment with multiple OpenStack Regions CMFE display cloud tenant multiple times for each OpenStack Keystone region. In this way this string of code does not work for multi-region environments: https://github.com/lpichler/manageiq/blob/fce2cbfd43bff2fc540424a458fbaa6c86557244/app/controllers/cloud_volume_controller.rb#L267 because hash value for the same tenant name get the last selected tenant id from CloudTenants array. And not all tenants are displayed. For correct work there should be some additional value for Cloud Tenant Region (For MIQ it is just another provider - ext_management_system) like this: Rbac.filtered(CloudTenant).each { |tenant| @cloud_tenant_choices["#{tenant.name} - #{tenant.ext_management_system.name}"] = tenant.id }