Red Hat Bugzilla – Bug 1468795
tenant_administrator role can modify quotas of his own Tenant
Last modified: 2017-11-02 01:18:50 EDT
Description of problem:
In a multi-tenant environment with nested tenants, if a tenant admin of Tenant Alpha set a quota on his child Tenant Omega, tenant admin of Tenant Omega can edit those rule, escaping by the limitations imposed.
Version-Release number of selected component (if applicable):
Verified since CFME 4.2 , still present in CFME 4.5
Steps to Reproduce:
1. Create tenant Alpha
2. Create tenant-admin-alpha (role EvmRole-tenant-administrator) for Alpha
3. Create child tenant of Alpha, named Omega
4. Create tenant-admin-omega (role EvmRole-tenant-administrator) for Omega
5. tenant-admin-alpha set quotas on CPU, Memory for tenant Omega
6. tenant-admin-omega log into CFME and CAN EDIT or Turn Off the quotas imposed by tenant-admin-alpha
An user with Tenant-admin can change the existing quotas of the Tenant he administer, vanishing the rules set by the tenant-admin of the Superior-Tenant
Quotas, once set, are only editable by the tenant-admin of the parent-Tenant.
tenant-admin can only see the quota of his tenant.
yes Omega/Reseller can modify quotas because there is managing of quotas allowed
in his role EvmRole-tenant_administrator as default.
So I am suggesting to create special role for the Omega/Reseller and disable
'Manage Quotas'. (see attachment)
Does this solve the issue?
I've tested on a CFME 188.8.131.52.20170525183055_6317a22 and effectively it works, but only for tenant-admin-omega, that will never have a child tenant.
tenant-admin-alpha can modify *both* tenant's quotas: Omega and Alpha, this is behaviour that is wanted to be changed.
The required behaviour is that `tenant-admin-alpha` couuld only change quotas on Omega (child tenants) and not for his own tenant (parent one).
The use case is the one where an ISP sell resources to Alpha, and Alpha resell resources to Omega.
ISP (global admin) have to be able to edit quota on all his childs (Alpha, Omega)
Alpha (tenant admin) have to be able to edit quota on all his childs (Omega).
I'll pass this to the customerI'll pass this to the customer and let you know if that is enough.I'll pass this to the customer and let you know if that is enough.I'll pass this to the customer and let you know if that is enough. and let you know if that is enough.
Hope this clarify better the request.
thanks a lot