Description of problem: Having a number of dashboard widgets which show OpenStack utilization and chargeback to users. With CFME 5.7.1.3, users are only shown performance information for instances in tenants they have access to. After the upgrade to 5.7.2.1, users are able to see instances in other tenants they do not have access to. Our access model is: * A single user role "VMUser", which has the VM Template Access Restriction set to "Only User or Group Owned" * CFME groups are created that align with OSP tenants. eg; An OSP tenant named "myTenant" will have a corresponding CFME group named "myTenant". This group will have the role "VMUser" * On discovery, a CFME control policy sets the instance group to the tenant in which it resides In addition, we use the following to provide chargeback * Created a CFME 'Project' tag corresponding to each tenant. Eg; an OSP tenant "myTenant" will have a CFME "project" tag "myTenant" * On discovery, instances are tagged with the "project" tag corresponding to the tenant in which they reside * Chargeback reports are created based on "Project" tags for each OSP tenant Every time, though only with CFME 5.7.2.1. We have verified the behavior by downgrading the CFME appliance with the "Reporting" role to 5.7.1.3, and confirming that the behavior is restricted to 5.7.2.1 Version-Release number of selected component (if applicable): CFME 5.7.2.1 How reproducible: see below Steps to Reproduce: 1. Create a tag named "Project/myTenant" 2. Create a group named "myTenant" 3. Add a user to the group 4. Create a VM 5. Tag the VM with "Projects/myTenant" 6. Set the VM group to "my Tenant": irb(main)> miq_group = $evm.vmdb(:miq_group).find_by_description("myTenant") irb(main)> vm = $evm.vmdb(:vm).find_by_name("newVM") irb(main)> vm.group=miq_group 7. Create a VM performance report with the following parameters: * Base the report on: Performance - VMs * Performance interval: Daily * Averages based on: Performance Interval 8. Select the following fields: * Asset name * Activity Sample - Day (MM DD YY) * Derived Vm Numvcpus * CPU - Usage Rate for Collected Intervals (%) * VM and Instance: CPU Recommendation 9. Under the "Performance Timeframe" set "Show hourly data from" to "Yesterday going back 1 week", and "Time Profile" to "UTC" Set the following Primary Record Filter: (NOT(Performance - VM:CPU - Usage Rate for Collected Intervals (%)=0) AND Performance - VM.VM and Instance:Archived="false") 10. Create a new dashboard widget based on the report * For the filter, select the user's current group, and select the name of the new report * Column 1: Instance * Column 2: Derived Vm Numvcpus * Column 3: CPU - Usage Rate for Collected Intervals (%) * Column 4: VM and Instance: CPU Recommendation 11. Generate the dashboard widget content 12. Login to CloudForms as the user in "myTenant", select the group "myTenant", add the widget to the dashboard, and verify that the user can see additional VMs in the widget. Contrast this with a user who does not have access to the VM. Actual results: users are able to see instances in other tenants they do not have access to. Expected results: users shouldn't be able to see instances in other tenants they do not have access to. Additional info: We have verified the behavior by downgrading the CFME appliance with the "Reporting" role to 5.7.1.3, and confirming that the behavior is restricted to 5.7.2.1
Thanks for the detailed bug report. We're trying to recreate this locally and have a few questions: 1) Can you give more details about the tenant hierarchy? We ask because users in a tenant should be able to see vms owned by that tenant and all children (and children of children) tenants. If tenant A has a subtenant B. Any user in tenant A can see vms in A and B without any further rbac filtering. 2) We see a vm was tagged with "Project/myTenant" but noticed that the group wasn't restricted to see only vms with that tag. It's not clear how tagging the vm is related. Was there a step missing where the group has filtering by tags? 3) What type of role was assigned to the group? Is it a super admin?
Hi Joe Please see the answers in line 1) Can you give more details about the tenant hierarchy? We ask because users in a tenant should be able to see vms owned by that tenant and all children (and children of children) tenants. If tenant A has a subtenant B. Any user in tenant A can see vms in A and B without any further rbac filtering. => I believe you can test this with setup that master tenant is having 2 subtenants A and B. So hierarchically subtenant A and B are same level from master tenant. 2) We see a vm was tagged with "Project/myTenant" but noticed that the group wasn't restricted to see only vms with that tag. It's not clear how tagging the vm is related. Was there a step missing where the group has filtering by tags? => CFME groups are created that align with OSP tenants. eg; An OSP tenant named "myTenant" will have a corresponding CFME group named "myTenant". Please refer to attached screenshots 3) What type of role was assigned to the group? Is it a super admin? => A single user role "VMUser", which has the VM Template Access Restriction set to "Only User or Group Owned"
Created attachment 1277465 [details] screenshot for group tag1
Created attachment 1277466 [details] screenshot for group tag2
Per comment 9, thanks Ruslana, this is not an issue on 5.8 therefore I nack'd 5.8(.z) release flags and set 5.7.z
Hi all, I should update status for this issue for 5.8 build. Libor provided me an 5.8 appliance where this issue can be reproduced. It is https://10.8.197.110/ I double checked this appliance, and this issue reproduces on 5.8 build. Libor already has a fix for this issue.
PR: https://github.com/ManageIQ/manageiq/pull/15088