Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable cloud_tenant based RBAC for additional models #14036

Merged
merged 2 commits into from
Mar 24, 2017
Merged

Enable cloud_tenant based RBAC for additional models #14036

merged 2 commits into from
Mar 24, 2017

Conversation

rwsu
Copy link
Contributor

@rwsu rwsu commented Feb 22, 2017

Fixes RBAC for select cloud_tenant based models when tenant_mapping_enabled is turned on. Previously, anyone can see any tenant's objects. The fix adds CloudTenancyMixin to a model which in turn causes the correct AR joins and where clauses to be generated during tenant scoping in Filterer.search.

This patch adds CloudTenancyMixin to
CloudNetwork
CloudObjectStoreContainer
CloudObjectStoreObject
CloudSubnet
CloudTenant
CloudVolumeSnapshot
Flavor
FloatingIp
LoadBalancer
NetworkPort
NetworkRouter
SecurityGroup

Modified OpenStack CloudManager to also update the network
provider's tenant_mapping_enabled value.

Depends on #13535

Steps for Testing/QA

  1. In your OpenStack cloud environment, create two projects and as admin of each project create an object for each of the models listed above.
  2. Tenant Mapping Enabled should be turned on for the cloud provider in ManageIQ.
  3. Create admin groups and admin users for he two projects. The admin should have the EvmRole-super_administrator role.
  4. Login as an admin of each project and verify you can only see that project's objects.

@rwsu rwsu changed the title Enable cloud_tenant based RBAC for additional models [WIP] Enable cloud_tenant based RBAC for additional models Feb 23, 2017
@miq-bot miq-bot added the wip label Feb 23, 2017
@rwsu rwsu changed the title [WIP] Enable cloud_tenant based RBAC for additional models Enable cloud_tenant based RBAC for additional models Mar 9, 2017
@miq-bot miq-bot removed the wip label Mar 9, 2017
@rwsu rwsu force-pushed the cloud-tenant-rbac branch 3 times, most recently from 41e394d to 2385dda Compare March 16, 2017 07:15
@miq-bot
Copy link
Member

miq-bot commented Mar 16, 2017

This pull request is not mergeable. Please rebase and repush.

@rwsu
Enable cloud_tenant based RBAC for additional models
3bf5b01 
Adds CloudTenancyMixin to
CloudNetwork
CloudObjectStoreContainer
CloudObjectStoreObject
CloudSubnet
CloudTenant
CloudVolumeSnapshot
Flavor
FloatingIp
LoadBalancer
NetworkPort
NetworkRouter
SecurityGroup

Modified OpenStack CloudManager to also update the network
provider's tenant_mapping_enabled value.
@lpichler
Copy link
Contributor

@rwsu Can you add specs for CloudTenant and Flavor, please ?

@rwsu
Tests for CloudTenancyMixin based search for CloudTenant and Flavor
a3f8cba 
CloudTenant and Flavor have specialized tenant_joins_clauses that
warrant additional tests.
@miq-bot
Copy link
Member

miq-bot commented Mar 22, 2017

Checked commits rwsu/manageiq@3bf5b01~...a3f8cba with ruby 2.2.6, rubocop 0.47.1, and haml-lint 0.20.0
15 files checked, 0 offenses detected
Everything looks good. 🏆

@rwsu
Copy link
Contributor Author

rwsu commented Mar 22, 2017

@lpichler, specs added for CloudTenant and Flavor.

@rwsu
Copy link
Contributor Author

rwsu commented Mar 23, 2017

@gtanzillo, can you review? I think @lpichler might be ooto.

gtanzillo
gtanzillo approved these changes Mar 24, 2017
View reviewed changes
Copy link
Member

@gtanzillo gtanzillo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@gtanzillo gtanzillo added this to the Sprint 57 Ending Mar 27, 2017 milestone Mar 24, 2017
@gtanzillo gtanzillo merged commit 5ade24b into ManageIQ:master Mar 24, 2017
@lpichler lpichler mentioned this pull request Mar 31, 2017
Merged
@lpichler lpichler mentioned this pull request Jul 11, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gtanzillo gtanzillo gtanzillo approved these changes

Assignees

@tzumainn tzumainn

Labels
core/rbac enhancement providers/cloud
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@rwsu @miq-bot @lpichler @gtanzillo @chessbyte @tzumainn