Bug 1468795 - [RFE] tenant_administrator role can modify quotas of his own Tenant
Summary: [RFE] tenant_administrator role can modify quotas of his own Tenant
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance
Version: 5.8.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: GA
: 5.10.0
Assignee: Libor Pichler
QA Contact: Ganesh Hubale
Whiteboard: cfme_tenant:quota:rbac
Depends On:
Blocks: 1468726
TreeView+ depends on / blocked
Reported: 2017-07-08 01:00 UTC by Andrea Perotti
Modified: 2019-02-07 23:02 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-02-07 23:02:36 UTC
Category: ---
Cloudforms Team: CFME Core
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0212 None None None 2019-02-07 23:02:47 UTC

Description Andrea Perotti 2017-07-08 01:00:25 UTC
Description of problem:

In a multi-tenant environment with nested tenants, if a tenant admin of Tenant Alpha set a quota on his child Tenant Omega, tenant admin of Tenant Omega can edit those rule, escaping by the limitations imposed.

Version-Release number of selected component (if applicable):
Verified since CFME 4.2 , still present in CFME 4.5

How reproducible:

Steps to Reproduce:
1. Create tenant Alpha
2. Create tenant-admin-alpha (role EvmRole-tenant-administrator) for Alpha
3. Create child tenant of Alpha, named Omega
4. Create tenant-admin-omega (role EvmRole-tenant-administrator) for Omega
5. tenant-admin-alpha set quotas on CPU, Memory for tenant Omega
6. tenant-admin-omega log into CFME and CAN EDIT or Turn Off the quotas imposed by tenant-admin-alpha

Actual results:
An user with Tenant-admin can change the existing quotas of the Tenant he administer, vanishing the rules set by the tenant-admin of the Superior-Tenant

Expected results:
Quotas, once set, are only editable by the tenant-admin of the parent-Tenant.
tenant-admin can only see the quota of his tenant.

Comment 4 Libor Pichler 2017-07-27 14:38:18 UTC

yes Omega/Reseller can modify quotas because there is managing of quotas allowed
in his role EvmRole-tenant_administrator as default.

So I am suggesting to create special role for the  Omega/Reseller and disable 
'Manage Quotas'. (see attachment)

Does this solve the issue?


Comment 7 Andrea Perotti 2017-08-03 14:33:56 UTC
I've tested on a CFME and effectively it works, but only for tenant-admin-omega, that will never have a child tenant.

tenant-admin-alpha can modify *both* tenant's quotas: Omega and Alpha, this is behaviour that is wanted to be changed.

The required behaviour is that `tenant-admin-alpha` couuld only change quotas on Omega (child tenants) and not for his own tenant (parent one).

The use case is the one where an ISP sell resources to Alpha, and Alpha resell resources to Omega.

ISP (global admin) have to be able to edit quota on all his childs (Alpha, Omega)
Alpha (tenant admin) have to be able to edit quota on all his childs (Omega).
I'll pass this to the customerI'll pass this to the customer and let you know if that is enough.I'll pass this to the customer and let you know if that is enough.I'll pass this to the customer and let you know if that is enough. and let you know if that is enough.

Hope this clarify better the request.

thanks a lot

Comment 24 CFME Bot 2018-11-14 17:44:43 UTC
New commit detected on ManageIQ/manageiq-schema/hammer:

commit 3531941f063dc6e71b26d4190fb2a94eddb72f58
Author:     Nick Carboni <ncarboni@redhat.com>
AuthorDate: Fri Oct 26 11:45:24 2018 -0400
Commit:     Nick Carboni <ncarboni@redhat.com>
CommitDate: Fri Oct 26 11:45:24 2018 -0400

    Merge pull request #291 from lpichler/add_tenant_id_to_miq_product_features

    Add tenant_id to miq_product_features

    (cherry picked from commit ed6309af48540b9adb32ed9c999a9b1acdde3458)


 db/migrate/20181023171353_add_tenant_id_and_tenant_node_to_miq_product_features.rb | 5 +
 1 file changed, 5 insertions(+)

Comment 25 CFME Bot 2018-11-14 17:44:57 UTC
New commit detected on ManageIQ/manageiq-api/hammer:

commit c0202c10dc9e13207c45caf35901b2b49ac19b6a
Author:     Gregg Tanzillo <gtanzill@redhat.com>
AuthorDate: Fri Nov  9 11:51:11 2018 -0500
Commit:     Gregg Tanzillo <gtanzill@redhat.com>
CommitDate: Fri Nov  9 11:51:11 2018 -0500

    Merge pull request #508 from lpichler/seed_tenant_product_features

    Seed tenant product features in Spec::Support::API::Helpers

    (cherry picked from commit 7a024f7488f39daa9bb208dd0745d941c53e0bd0)


 spec/support/api/helpers.rb | 2 +
 1 file changed, 2 insertions(+)

Comment 26 CFME Bot 2018-11-14 17:50:46 UTC
New commits detected on ManageIQ/manageiq/hammer:

commit ac5f85f3a66368b6a5ededfcb3695f178d935139
Author:     Gregg Tanzillo <gtanzill@redhat.com>
AuthorDate: Tue Oct 30 16:51:09 2018 -0400
Commit:     Gregg Tanzillo <gtanzill@redhat.com>
CommitDate: Tue Oct 30 16:51:09 2018 -0400

    Merge pull request #18102 from lpichler/dynamic_product_features

    Dynamic product features according to tenants

    (cherry picked from commit e391dec9c57dce99d67555c329906ec2fb71e759)


 app/models/miq_product_feature.rb | 52 +-
 app/models/tenant.rb | 27 +-
 db/fixtures/miq_product_features.yml | 12 +-
 lib/rbac/authorizer.rb | 2 +
 spec/models/miq_product_feature_spec.rb | 146 +-
 spec/models/miq_user_role_spec.rb | 30 +
 spec/models/tenant_spec.rb | 32 +
 spec/support/evm_spec_helper.rb | 1 +
 8 files changed, 287 insertions(+), 15 deletions(-)

commit 8355c58f81508d207666b3046462d3af813835b2
Author:     Gregg Tanzillo <gtanzill@redhat.com>
AuthorDate: Mon Nov  5 17:33:59 2018 -0500
Commit:     Gregg Tanzillo <gtanzill@redhat.com>
CommitDate: Mon Nov  5 17:33:59 2018 -0500

    Merge pull request #18151 from lpichler/add_rbac_tenant_manage_quotas_to_tenant_product_feature

    ADD rbac_tenant_manage_quotas to tenant product features

    (cherry picked from commit 61d1edd6d9131e5d9a023411d838b60114b52d1e)


 app/models/miq_product_feature.rb | 2 +-
 spec/models/miq_user_role_spec.rb | 5 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

commit d4481688e06d35e0f2220b6f1d19d0a1eb036597
Author:     Brandon Dunne <brandondunne@hotmail.com>
AuthorDate: Mon Nov 12 15:04:44 2018 -0500
Commit:     Brandon Dunne <brandondunne@hotmail.com>
CommitDate: Mon Nov 12 15:04:44 2018 -0500

    Merge pull request #18179 from gtanzillo/fix-dynamic-product-features

    Authorize user with non-dynamic product feature if included in user's role

    (cherry picked from commit f489784b0917a30aa810772b3888bb9dac9cec0c)


 app/models/miq_product_feature.rb | 2 +-
 lib/rbac/authorizer.rb | 4 +-
 spec/models/miq_user_role_spec.rb | 19 +-
 3 files changed, 19 insertions(+), 6 deletions(-)

Comment 27 CFME Bot 2018-11-14 17:52:04 UTC
New commit detected on ManageIQ/manageiq-ui-classic/hammer:

commit 5ade165e927704d85461fa9fa7aff86785d83183
Author:     Milan Zázrivec <mzazrivec@redhat.com>
AuthorDate: Wed Oct 31 11:05:16 2018 -0400
Commit:     Milan Zázrivec <mzazrivec@redhat.com>
CommitDate: Wed Oct 31 11:05:16 2018 -0400

    Merge pull request #4858 from lpichler/fix_ci_after_dynamic_product_features

    Fix CI After Dynamic Product Features

    (cherry picked from commit 568f503519dac39ee1eefd55a1f48828ed49aae7)


 spec/controllers/miq_ae_customization_controller/dialogs_spec.rb | 1 +
 1 file changed, 1 insertion(+)

Comment 38 CFME Bot 2018-12-20 17:56:26 UTC
New commit detected on ManageIQ/manageiq/hammer:

commit 9d4c1af4c2ff4844c621317e76e405acdce289b9
Author:     Keenan Brock <keenan@thebrocks.net>
AuthorDate: Thu Dec 20 11:40:02 2018 -0500
Commit:     Keenan Brock <keenan@thebrocks.net>
CommitDate: Thu Dec 20 11:40:02 2018 -0500

    Merge pull request #18286 from lpichler/dont_create_tenant_product_features_remote_tenants

    Don't seed tenant product features for tenant from remote region

    (cherry picked from commit 7909bf7f11a842f7b98d5e7fc539b6fc3da82de7)


 app/models/miq_product_feature.rb | 2 +-
 spec/models/miq_product_feature_spec.rb | 26 +
 2 files changed, 27 insertions(+), 1 deletion(-)

Comment 49 errata-xmlrpc 2019-02-07 23:02:36 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.