Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make user filter as restriction in RBAC #15367

Merged
merged 4 commits into from
Jun 19, 2017
Merged

Make user filter as restriction in RBAC #15367

merged 4 commits into from
Jun 19, 2017

Conversation

lpichler
Copy link
Contributor

WIP: this PR is based on #15346,
last 4 commits are related to this PR

Some facts 📝

we have method combine_filtered_ids in RBAC and there is combination logic of different filter ids:

u_filtered_ids - this ids of resource are based set ownership of resource and option in user role
called "Only User or Group Owned" and "Only User Owned"

b_filtered_ids - belongs to filter ids are from filter called Host & Cluster (tab in group)
m_filtered_ids - managed filter ids are form tag filer (tab in group)
d_filtered_ids - these are based on any descendant relation. (example: #15271 ManageIQ/manageiq-ui-classic#1474 )
we want to filter CloudNetwork instances according to the relation of extmanagement system
tenant_filter_ids - this additional tenant filter for rbac through association, it used for classes like a MetricRollup, Metric where want to do rbac thru his polymorphic resource

Algorithm before

this filtered ids are combined by algorithm:

b_intersection_m        = (b_filtered_ids INTERSECTION m_filtered_ids)
u_union_d_union_b_and_m = u_filtered_ids UNION d_filtered_ids UNION b_intersection_m
filter                  = u_union_d_union_b_and_m INTERSECTION tenant_filter_ids

As you can see user filter (u_filtered_ids) is not doing restriction of descedant filter and of belongs/managed filter.

Algorithm after

So we have to restrict whole result according to user filter (u_filtered_ids) :

b_intersection_m = (b_filtered_ids INTERSECTION m_filtered_ids)
d_union_b_and_m  = d_filtered_ids UNION b_intersection_m
filter           = d_union_b_and_m INTERSECTION tenant_filter_ids INTERSECTION u_filtered_ids

Real case

User has enabled filtering acccording tag tag1 and also he self service user(option Only User or Group Owned)
also three vms:
vm1 - no tag, group ownership set to User's group
vm2- tagged by tag1, ownership is not set
vm3 -tagged by tag1,group ownership set to User's group

result before

vm1, vm2 and vm3

result after

vm3 (only) - because only this vm has tag1 and ownership set to vm2

Links

https://bugzilla.redhat.com/show_bug.cgi?id=1451266
https://bugzilla.redhat.com/show_bug.cgi?id=1450839

@miq-bot assign @gtanzillo
@miq-bot add_label rbac, bug

@himdel himdel mentioned this pull request Jun 14, 2017
Merged
@miq-bot
Copy link
Member

miq-bot commented Jun 14, 2017

This pull request is not mergeable. Please rebase and repush.

@lpichler lpichler force-pushed the make_user_filter_as_restriction branch from 71b12d2 to a5fe841 Compare June 14, 2017 14:51
@lpichler lpichler changed the title [WIP] Make user filter as restriction in RBAC Make user filter as restriction in RBAC Jun 14, 2017
@lpichler
Copy link
Contributor Author

@miq-bot remove_label wip

@miq-bot
Copy link
Member

miq-bot commented Jun 14, 2017

Checked commits lpichler/manageiq@d5c7e13~...a5fe841 with ruby 2.2.6, rubocop 0.47.1, and haml-lint 0.20.0
2 files checked, 0 offenses detected
Everything looks fine. 🍪

gtanzillo
gtanzillo approved these changes Jun 19, 2017
View reviewed changes
Copy link
Member

@gtanzillo gtanzillo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@gtanzillo gtanzillo added this to the Sprint 63 Ending Jun 19, 2017 milestone Jun 19, 2017
@gtanzillo gtanzillo merged commit ed5da67 into ManageIQ:master Jun 19, 2017
@lpichler lpichler deleted the make_user_filter_as_restriction branch June 20, 2017 06:24
lpichler added a commit to lpichler/manageiq that referenced this pull request Apr 20, 2018
@lpichler
Revert "Merge pull request ManageIQ#15367 from lpichler/make_user_fil…
2d9d8bc 
…ter_as_restriction"

This reverts commit ed5da67, reversing
changes made to ed707ba.
@lpichler lpichler mentioned this pull request Apr 20, 2018
Merged
kbrock added a commit that referenced this pull request Apr 20, 2018
@kbrock
Merge pull request #17322 from lpichler/revert_make_user_filter_as_re…
9f8c439 
…striction

Revert "Merge pull request #15367"
simaishi pushed a commit that referenced this pull request Apr 20, 2018
@kbrock @simaishi
Merge pull request #17322 from lpichler/revert_make_user_filter_as_re…
4347128 
…striction

Revert "Merge pull request #15367"
(cherry picked from commit 9f8c439)

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1570118
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gtanzillo gtanzillo gtanzillo approved these changes

Assignees

@gtanzillo gtanzillo

Labels
bug core/rbac
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lpichler @miq-bot @gtanzillo