Bug 1468795 - tenant_administrator role can modify quotas of his own Tenant
tenant_administrator role can modify quotas of his own Tenant
Status: ON_DEV
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance (Show other bugs)
5.8.0
Unspecified Unspecified
high Severity high
: GA
: cfme-future
Assigned To: Gregg Tanzillo
Dave Johnson
cfme_tenant:quota:rbac
:
Depends On:
Blocks: cfme_fastweb
  Show dependency treegraph
 
Reported: 2017-07-07 21:00 EDT by Andrea Perotti
Modified: 2017-08-03 10:33 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andrea Perotti 2017-07-07 21:00:25 EDT
Description of problem:

In a multi-tenant environment with nested tenants, if a tenant admin of Tenant Alpha set a quota on his child Tenant Omega, tenant admin of Tenant Omega can edit those rule, escaping by the limitations imposed.

Version-Release number of selected component (if applicable):
Verified since CFME 4.2 , still present in CFME 4.5

How reproducible:
Always

Steps to Reproduce:
1. Create tenant Alpha
2. Create tenant-admin-alpha (role EvmRole-tenant-administrator) for Alpha
3. Create child tenant of Alpha, named Omega
4. Create tenant-admin-omega (role EvmRole-tenant-administrator) for Omega
5. tenant-admin-alpha set quotas on CPU, Memory for tenant Omega
6. tenant-admin-omega log into CFME and CAN EDIT or Turn Off the quotas imposed by tenant-admin-alpha

Actual results:
An user with Tenant-admin can change the existing quotas of the Tenant he administer, vanishing the rules set by the tenant-admin of the Superior-Tenant

Expected results:
Quotas, once set, are only editable by the tenant-admin of the parent-Tenant.
tenant-admin can only see the quota of his tenant.
Comment 4 Libor Pichler 2017-07-27 10:38:18 EDT
Andrea,

yes Omega/Reseller can modify quotas because there is managing of quotas allowed
in his role EvmRole-tenant_administrator as default.

So I am suggesting to create special role for the  Omega/Reseller and disable 
'Manage Quotas'. (see attachment)


Does this solve the issue?

thanks
Comment 7 Andrea Perotti 2017-08-03 10:33:56 EDT
I've tested on a CFME 5.8.0.17.20170525183055_6317a22 and effectively it works, but only for tenant-admin-omega, that will never have a child tenant.

tenant-admin-alpha can modify *both* tenant's quotas: Omega and Alpha, this is behaviour that is wanted to be changed.

The required behaviour is that `tenant-admin-alpha` couuld only change quotas on Omega (child tenants) and not for his own tenant (parent one).

The use case is the one where an ISP sell resources to Alpha, and Alpha resell resources to Omega.

ISP (global admin) have to be able to edit quota on all his childs (Alpha, Omega)
Alpha (tenant admin) have to be able to edit quota on all his childs (Omega).
I'll pass this to the customerI'll pass this to the customer and let you know if that is enough.I'll pass this to the customer and let you know if that is enough.I'll pass this to the customer and let you know if that is enough. and let you know if that is enough.

Hope this clarify better the request.


thanks a lot

Note You need to log in before you can comment on or make changes to this bug.