"Add New Cloud Volume" dialog does not restrict cloud tenants for non-admins users.

[ITD27M01]

Hi guys, for restricted users that should have access only to owned cloud tenant there is ability to select cloud tenants during cloud volume provisioning. Even those that the user should not see. In my environment there is OpenStack Newton with v3 api as a Cloud Provider with cloud tenants synchronization. And Cinder as a Volume Storage Provider.

[lpichler]

@ITD27M01 thanks

@miq-bot assign @lpichler

[lpichler]

#15143
#15145

[ITD27M01]

@lpichler
If rbac is tag-based filtering then this PRs is not the solution for my issue. By default (out of the box) tags are not used by users and this is a very difficult way to enable it. Because you need to tag every element in the infrastructure for which user need to access - cloud tenants that does not accessible from web-interface, vms, created volumes...

[ITD27M01]

Hi @lpichler
In the environment with multiple OpenStack Regions ManageIQ display cloud tenant multiple times for each OpenStack Keystone region. In this way this string of code does not work for multi-region environments:
https://github.com/lpichler/manageiq/blob/fce2cbfd43bff2fc540424a458fbaa6c86557244/app/controllers/cloud_volume_controller.rb#L267
because hash value for the same tenant name get the last selected tenant id from CloudTenants array. And not all tenants are displayed. For correct work there should be some additional value for Cloud Tenant Region (For MIQ it is just another provider - ext_management_system).

This code work for me:

Rbac.filtered(CloudTenant).each { |tenant| @cloud_tenant_choices["#{tenant.name} - #{tenant.ext_management_system.name}"] = tenant.id }

[ITD27M01]

@lpichler but all this PRs and my overrides does not help to create volume from ManageIQ because of this piece of code from "def create" function:

          CloudVolume.create_volume(cloud_tenant.ext_management_system, options)
          add_flash(_("Creating %{volume} \"%{volume_name}\"") % {
            :volume      => ui_lookup(:table => 'cloud_volume'),
            :volume_name => options[:name]})

For cloud volumes ext_management_system is Cinder Manager but not Cloud Provider. In this way all may request for creating volumes is stuck in "creating" state because of wrong ems for this operation:

[lpichler]

@ITD27M01 Thank you for your feedback.

If rbac is tag-based filtering then this PRs is not the solution for my issue. By default (out of the box) tags are not used by users and this is a very difficult way to enable it. Because you need to tag every element in the infrastructure for which user need to access - cloud tenants that does not accessible from web-interface, vms, created volumes...

RBAC is not only about tags, it is also about tenancy and other filters.
For using RBAC for Cloud entities (like CloudTenant(this is only in), and RBAC for other cloud objects like CloudVolumes,... is in FINE only ))

#14836 (comment)
It is another issue I am preferring to create GitHub issue and we can discuss it and do it globally.

#14836 (comment) :
Can you create GitHub issue for it ? with specification of you set up (which version Miq, OpenStack)
I tried it with OpenStack v3 and on the latest code base and cloud volumes have been created successfully.

[miq-bot]

This issue has been automatically marked as stale because it has not been updated for at least 6 months.

If you can still reproduce this issue on the current release or on master, please reply with all of the information you have about it in order to keep the issue open.

Thank you for all your contributions!

[JPrause]

@ITD27M01 is this still a valid issue. If not can you close.
If there's no update by next week, I'll be closing this issue.

[JPrause]

Closing issue. If you feel the issue needs to remain open, please let me know and it will be reopened.
@miq-bot close_issue