Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add tenant scoping for resources of performance reports in RBAC #14095

Merged
merged 3 commits into from
Mar 7, 2017
Merged

Add tenant scoping for resources of performance reports in RBAC #14095

merged 3 commits into from
Mar 7, 2017

Conversation

lpichler
Copy link
Contributor

@lpichler lpichler commented Feb 28, 2017
edited
Loading

second part of
https://bugzilla.redhat.com/show_bug.cgi?id=1418961
first part (#14041)

RBAC is supported for MetricRollups class and his childs also MetricRollup#resource but there is no support also for tenant scoping, so this PR is adding it:

cc @kbrock

@miq-bot assign @gtanzillo

@miq-bot miq-bot added the wip label Feb 28, 2017
@lpichler lpichler force-pushed the add_rbac_to_resouces_for_perfomance_reports branch from 6a36e31 to 03569d2 Compare March 2, 2017 14:08
@lpichler lpichler changed the title [WIP] Add rbac to resources for performance reports Add tenant scoping for resources of performance reports in RBAC Mar 2, 2017
@miq-bot miq-bot removed the wip label Mar 2, 2017
@lpichler lpichler force-pushed the add_rbac_to_resouces_for_perfomance_reports branch from 03569d2 to 7013bfa Compare March 2, 2017 15:00
kbrock
kbrock reviewed Mar 2, 2017
View reviewed changes
Copy link
Member

@kbrock kbrock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is great.
Will help right across the board

have been working so hard on consolidating that set logic, so would prefer to have just a single point where set logic is performed

lib/rbac/filterer.rb Outdated
@@ -445,7 +445,12 @@ def scope_targets(klass, scope, rbac_filters, user, miq_group)
# if subclasses of MetricRollup or Metric, use the associated
# model to derive permissions from
associated_class = rbac_class(scope)
if associated_class.respond_to?(:scope_by_tenant?) && associated_class.scope_by_tenant?
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

if associated_class.try(:scope_by_tenant?)

lib/rbac/filterer.rb Outdated
@@ -445,7 +445,12 @@ def scope_targets(klass, scope, rbac_filters, user, miq_group)
# if subclasses of MetricRollup or Metric, use the associated
# model to derive permissions from
associated_class = rbac_class(scope)
if associated_class.respond_to?(:scope_by_tenant?) && associated_class.scope_by_tenant?
scope_associated_ids = scope_to_tenant(associated_class, user, miq_group).ids
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please leave this as a scope and rename to something like tenant_filter

lib/rbac/filterer.rb Outdated
filtered_ids = calc_filtered_ids(associated_class, rbac_filters, user, miq_group)
filtered_ids = [scope_associated_ids, filtered_ids].compact.flatten
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please pass this scope into filtered_ids.

Trying hard to keep that set logic in there so we can move to the database in the future.

(all but one of those params are currently scopes)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I cannot pass it to the first parameter because scope tenant condition in scope_tenant_filter would be lost, so I added it as new parameter.
Is this ok for now ?

For now we need to make 1 query to determine scope_tenant_filter.ids, in follow up PR I would like to look if it is possible to merge it to main scope and skip this query.

thanks for review @kbrock

@lpichler lpichler force-pushed the add_rbac_to_resouces_for_perfomance_reports branch from 7013bfa to 4521c0b Compare March 3, 2017 17:58
kbrock
kbrock reviewed Mar 3, 2017
View reviewed changes
lib/rbac/filterer.rb Outdated
klass = scope.respond_to?(:klass) ? scope.klass : scope
u_filtered_ids = pluck_ids(get_self_service_objects(user, miq_group, klass))
b_filtered_ids = get_belongsto_filter_object_ids(klass, user_filters['belongsto'])
m_filtered_ids = pluck_ids(get_managed_filter_object_ids(scope, user_filters['managed']))
d_filtered_ids = pluck_ids(matches_via_descendants(rbac_class(klass), user_filters['match_via_descendants'],
:user => user, :miq_group => miq_group))

combine_filtered_ids(u_filtered_ids, b_filtered_ids, m_filtered_ids, d_filtered_ids)
combine_filtered_ids(u_filtered_ids, b_filtered_ids, m_filtered_ids, d_filtered_ids) ||
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be difficult to get this into combine_filtered_ids?
(just say too difficult if so. I can fix when I'm going in there to convert to a sql scope from raw ids)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes done 👍

https://github.com/ManageIQ/manageiq/pull/14095/files#diff-8d948055de14ced0e63abf9637a9a788R383 this maybe look sort complex but there is needed previous values it returns. (nil should not be confused with an empty field)

kbrock
kbrock reviewed Mar 3, 2017
View reviewed changes
Copy link
Member

@kbrock kbrock left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good. just the one question

also, the tenant_scope can probably be always passed in, even if it is a nil. I'm guessing we probably need to change our code to always have a tenant scope (unless this makes testing harder - then leave the nil as is)

@lpichler lpichler force-pushed the add_rbac_to_resouces_for_perfomance_reports branch 2 times, most recently from 206f5db to 28298d3 Compare March 6, 2017 13:49
@lpichler
Copy link
Contributor Author

lpichler commented Mar 6, 2017
edited
Loading

@kbrock

... so we can move to the database in the future.

What do you mean by this ? Do you mean somehow convert RBAC to sequence of rules or DSL ?

@lpichler lpichler force-pushed the add_rbac_to_resouces_for_perfomance_reports branch from 28298d3 to 6b47b81 Compare March 6, 2017 14:31
@kbrock
Copy link
Member

kbrock commented Mar 6, 2017

@lpichler example

Current vm RBAC combine_filtered_ids workflow:

  1. Bring back ids for 4 different queries of vms
  2. Perform post processing on ids (down to only 1 id list being manipulated)
  3. Do set logic in memory
  4. send that list of ids back to the server to bring back vms.

Since sql's strength is set logic (e.g. using AND and OR), it makes no sense to bring this back into ruby. Just need to remove post processing step.

Was hoping we could keep the set logic in the combine_filtered_ids method.
That way the combination will be more straight forward.

But if that doesn't work for you, we can move it into that method when we are fixing step 2.

@lpichler
Add scoping to tenant for resources in performance reports
39d0469 
- visible ids of resource class are determined for tenant
- those ids are used for filtering as well
@lpichler
Add factory for VmPerfomance
25d89dc
@lpichler
Specs for tenant scoping for VmPerformance
dce0e5d
@lpichler lpichler force-pushed the add_rbac_to_resouces_for_perfomance_reports branch from 6b47b81 to dce0e5d Compare March 7, 2017 12:45
@miq-bot
Copy link
Member

miq-bot commented Mar 7, 2017

Checked commits lpichler/manageiq@39d0469~...dce0e5d with ruby 2.2.6, rubocop 0.47.1, and haml-lint 0.20.0
3 files checked, 0 offenses detected
Everything looks good. 🍪

kbrock
kbrock approved these changes Mar 7, 2017
View reviewed changes
Copy link
Member

@kbrock kbrock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. this looks great

@lpichler lpichler closed this Mar 7, 2017
@lpichler lpichler reopened this Mar 7, 2017
gtanzillo
gtanzillo approved these changes Mar 7, 2017
View reviewed changes
Copy link
Member

@gtanzillo gtanzillo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Thanks @lpichler @kbrock

@gtanzillo gtanzillo added this to the Sprint 56 Ending Mar 13, 2017 milestone Mar 7, 2017
@gtanzillo gtanzillo merged commit f46d363 into ManageIQ:master Mar 7, 2017
@lpichler lpichler deleted the add_rbac_to_resouces_for_perfomance_reports branch March 9, 2017 19:26
simaishi pushed a commit that referenced this pull request Mar 10, 2017
@gtanzillo @simaishi
Merge pull request #14095 from lpichler/add_rbac_to_resouces_for_perf…
997b55c 
…omance_reports

Add tenant scoping for resources of performance reports in RBAC
(cherry picked from commit f46d363)

https://bugzilla.redhat.com/show_bug.cgi?id=1431168
@simaishi
Copy link
Contributor

Euwe backport details:

$ git log -1
commit 997b55cb7fa847993d81c379def3dd77077e520e
Author: Gregg Tanzillo <gtanzill@redhat.com>
Date:   Tue Mar 7 16:05:03 2017 -0500

    Merge pull request #14095 from lpichler/add_rbac_to_resouces_for_perfomance_reports
    
    Add tenant scoping for resources of performance reports in RBAC
    (cherry picked from commit f46d363c250b386a9783dc10e6a98bb8e4413442)
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1431168

@lpichler lpichler mentioned this pull request Mar 14, 2017
Closed
@simaishi
Copy link
Contributor

Backported to Darga via #14308

agrare pushed a commit to agrare/manageiq that referenced this pull request Apr 19, 2017
@gtanzillo @simaishi
Merge pull request ManageIQ#14095 from lpichler/add_rbac_to_resouces_…
2553dc8 
…for_perfomance_reports

Add tenant scoping for resources of performance reports in RBAC
(cherry picked from commit f46d363)

https://bugzilla.redhat.com/show_bug.cgi?id=1431168
@lpichler lpichler mentioned this pull request May 15, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gtanzillo gtanzillo gtanzillo approved these changes

@kbrock kbrock kbrock approved these changes

Assignees

@gtanzillo gtanzillo

Labels
core/chargeback core/rbac darga/backported enhancement euwe/backported
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@lpichler @kbrock @miq-bot @simaishi @gtanzillo @chessbyte