Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Displayed all tenant by using Heat Template #297

Open
okamototk opened this issue May 17, 2018 · 7 comments
Open

Displayed all tenant by using Heat Template #297

okamototk opened this issue May 17, 2018 · 7 comments

Comments

@okamototk
Copy link

When I use Heat Template as Catalog Service, all OpenStack tenant which is accessed by Provider account is selected is spite of setting access control by group.

At least, following code does not limit tenants for use. Should it limit to available tenants?

https://github.com/ManageIQ/manageiq-content/blob/master/content/automate/ManageIQ/Cloud/Orchestration/Operations/Methods.class/__methods__/available_tenants.rb

@gmcculloug gmcculloug self-assigned this May 17, 2018
@gmcculloug
Copy link
Member

gmcculloug commented May 17, 2018

@okamototk By default automate methods run with admin access but you can enable rbac filtering by adding a call to $evm.enable_rbac in the script.

The feature was added in PR ManageIQ/manageiq#11549

For the method you reference I would recommend wrapping the fetch_list_data method with calls to enable_rbac and disable_rbac.

Something like:

def fetch_list_data
  $evm.enable_rbac
  service = @handle.root.attributes["service_template"] || @handle.root.attributes["service"]
  av_tenants = service.try(:orchestration_manager).try(:cloud_tenants)

  tenant_list = { nil => "<default>" }
  av_tenants.each { |tenant| tenant_list[tenant.name] = tenant.name } if av_tenants

  tenant_list
ensure
  $evm.disable_rbac
end

Test this out and let us know your results.

cc @mkanoor

@gmcculloug
Copy link
Member

@okamototk The easiest way to test this is to create a new domain in the automate explorer and copy the method into the new domain. The new domain, by default, will have a higher priority when looking up methods and the copied method would be used.

If you modify the gem on disk you would need to reset the automate domain from either the UI in: Automation -> Automate -> Import / Export -> "Reset all components in the following domains: ManageIQ"

Or from the command line using rake evm:automate:reset

@okamototk
Copy link
Author

It works fine, thanks!

I hope above template is enabled default:)

@gmcculloug
Copy link
Member

Great to hear. Can we close this issue now?

@okamototk
Copy link
Author

I think this feature should be enabled default. But code is still same as before.
Are there any reason to keep current implementation?

@gmcculloug
Copy link
Member

@okamototk Sorry to have been away from this topic for a while but I have been thinking about it again recently and have two thoughts.

  1. Adding a global Advanced Setting flag that would allow us to control the default for RBAC within automate methods.

  2. Modifying some of the existing automate methods (specifically those designed for dynamic dialog fields) to include an "enable_rbac" property on the instance that calls the method and restructure the methods to evaluate the new instance property. This way a user could change the behavior by just overwriting the method and change the flag instead of having to update the method as described in Displayed all tenant by using Heat Template #297 (comment). Obviously this would need to happen for several methods, not just the one identified here.

Along the lines of item 2, maybe there is also a way to expose a global default in the Automate modeling and allow for individual method overrides, assuming the methods were reworked to take advantage of this.

cc @mkanoor @tinaafitz thoughts?

@miq-bot miq-bot added the stale label Feb 12, 2019
@miq-bot
Copy link
Member

miq-bot commented Feb 12, 2019

This issue has been automatically marked as stale because it has not been updated for at least 6 months.

If you can still reproduce this issue on the current release or on master, please reply with all of the information you have about it in order to keep the issue open.

Thank you for all your contributions!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants