Use feature for admin

[kbrock]

Problem:

Users can not create a custom group with admin privileges.
Our best practices say to create a custom group and not use the included Evm ones.
The reason for this request most often is focused on reporting, but also focuses on miq_request privileges.

• https://bugzilla.redhat.com/show_bug.cgi?id=1090627
• https://bugzilla.redhat.com/show_bug.cgi?id=1545401
• Use {report,request}_admin_user? manageiq-ui-classic#3993
• use request_admin_user? manageiq-api#385
• Extra reference, but not addressed: https://bugzilla.redhat.com/show_bug.cgi?id=1508490
• scroll down for ui changes.

Before:

• We use the admin's name (admin, tenant admin, and super admin) to grant extra privileges. This is determined using MiqUserRole#admin_user?.
• Tenant admin checks are in place to prevent the user from creating an administrator or super administrator (and essentially escalating privileges).
• NOTE: special privileges of the administrator role has been whittled down to elevated report and miq_request privileges.

After:

• super-administrator role (i.e.: user admin) now uses the the existing everything miq_product_feature to grant the special privilege.
• Report functionality previously protected by admin_user? now uses the miq_product_feature miq_report_superadmin to grant special privileges. (This is needed for chargeback and other reports). Introduced report_admin_user? for transition.
• MiqRequest functionality previously protected by admin_user? now uses miq_product feature miq_request_superadmin
• The administrator role checks admin_user? is deprecated and no longer used. Essentially, this role has been removed.
• The tenant-administrator checks have been simplified. Now, a super admin is the only one able to create a super admin.

Future work:

• The code currently prevents users from viewing other groups. This needs to be fixed in admin.
• A bunch of these checks could be moved further into Rbac.
• There are quite a few report / report result checks that are tangled and non trivial to move to rbac.
• There are 2 types of checks for report results - tread carefully.

[NickLaMuro]

I think this looks fine, but admittedly I am not the best person to be making the final say.

I think my only real gripe is that MiqProductFeature seems like a weird place for this to live instead of MiqUserRole, specifically from a name standpoint. I can much more easily understand that "admin" and "superadmin" are roles versus "product features", but maybe that is just me.

There might be implementation details that make it more desirable to put this in MiqProductFeature versus MiqUserRole, so not really worth holding this up for, just an observation.

[NickLaMuro]

Typo: parallel

[NickLaMuro]

Hot. 👍

[NickLaMuro]

First off, totally fine with this query, and it probably doesn't need to change.

But am kinda curious where it is being used. Since we aren't setting a .select on this, do we get all the columns back on this, or does Rails always add a table_name.* by default instead of just a SELECT *?

(might be the former now that I think about it)

Anyway, you really aren't changing how this worked much before, so you probably don't have to worry about it.

[NickLaMuro]

<rant> God... this is the ugliest syntax addition to Ruby I have ever seen... bleh </rant>

[NickLaMuro]

More of a serious, but minor question: Is there an extra query being hit here now by calling out to miq_user_role?

[kbrock]

yes. But I figure features need to be brought back for the rest of the UI, so I've been looking the other way

[NickLaMuro]

Typo: parallel

[NickLaMuro]

Few things:

• At the very least, can we .freeze this string? Or use an existing constant?
• Is there a reason this doesn't go through MiqUserRole or MiqProductFeature? I guess for simplicity and reducing risk? (cool with that being the case, just making sure)

[NickLaMuro]

What is the rational behind adding this conditional in and pushing scope_by_ids inside the else? Just don't see the context/rational from the diff.

[kbrock]

think I'll roll it back - yea, probably an unneeded change

[NickLaMuro]

Not sure you need to go that far, was just curious what the rational was.

[NickLaMuro]

Are all of the callers for this updated? I don't see any changed here.

[NickLaMuro]

Thankfully these ones got hidden due to recent commits. Just noticed where these were being used, so this question and others like it can be ignored.

[NickLaMuro]

Are all of the callers for this updated? I don't see any changed here. (repeat question)

[NickLaMuro]

Are all of the callers for this updated? I don't see any changed here. (repeat question)

[kbrock]

@bascar / @gtanzillo new thoughts:

Currently we have a single "administrator" Role. the name of the role makes it an admin.

This is not transferrable to other roles, so instead of using name, we're going to use a product feature. Also, we are getting away from a single admin concept.

If you look at the product features granted to admins, they fall in 2 different areas. It makes sense to split up the admin role into 2 types of functionality: reports and requests.

Additionally, there currently are provisions to prevent tenant admins from creating an administrator user. While it makes sense to limit creation of a super admin, the admin does not have significant added privileges, so this no longer seems necessary. Instead it prevents non super admins from creating super admins.

---

Current functionality granted to Administrators

NOTE: While super administrators do get all administrator functionality, they are different roles

• reports
  • advanced search (delete filters, global search)
  • other user's saved reports
  • export other reports
  • fetch other user's saved reports
  • other user's report results
  • other user's time profiles
  • other user's charge back reports
  • other groups' reports
  • report results from other users
  • overwrite on report imports
  • view other user groups / (potential create user issue)
• requests
  • delete other user's miq_request messages
  • find service requests from other users (API)
  • find requests from other users
  • provision requests from other users
  • automation requests from other users

• https://bugzilla.redhat.com/show_bug.cgi?id=1090627
• https://bugzilla.redhat.com/show_bug.cgi?id=1545401

Not sure if this can address

• https://bugzilla.redhat.com/show_bug.cgi?id=1508490

[kbrock]

This made the following changes:

[miq-bot]

Checked commits kbrock/manageiq@9c9a52f~...f6c02e8 with ruby 2.3.3, rubocop 0.52.1, haml-lint 0.20.0, and yamllint 1.10.0
14 files checked, 0 offenses detected
Everything looks fine. 🏆

[gtanzillo]

This looks awesome 👍 I just have the one small question/comment

[gtanzillo]

How come you changed this to just :name? It seems ambiguous as it can be misconstrued as the name of the group when it's really the name of the groups role.

[kbrock]

This did not change

The :name refers to Role#name. The prefix => true tacks on the association name so the attribute name will be called miq_user_role_name (same as it originally was)

[ZitaNemeckova]

This broke UI master :)

1) ReportController#schedule_edit reset rbac testing
     Failure/Error: users_in_current_groups = User.with_current_user_groups.distinct.sort_by { |u| u.name.downcase }
     
     NoMethodError:
       undefined method `with_current_user_groups' for #<Class:0x000000000a44fa98>
     # ./app/controllers/application_controller.rb:764:in `build_user_emails_for_edit'
     # ./app/controllers/report_controller/schedules.rb:433:in `schedule_build_edit_screen'
     # ./app/controllers/report_controller/schedules.rb:252:in `schedule_edit'
     # ./spec/controllers/report_controller/schedules_spec.rb:21:in `block (3 levels) in <top (required)>'
  2) MiqPolicyController::Alerts test click on toolbar button alert edit
     Failure/Error: expect(response.status).to eq(200)
     
       expected: 200
            got: 500
     
       (compared using ==)
     # ./spec/controllers/miq_policy_controller/alerts_spec.rb:118:in `block (4 levels) in <top (required)>'
  3) MiqPolicyController::Alerts test click on toolbar button alert copy
     Failure/Error: expect(response.status).to eq(200)
     
       expected: 200
            got: 500
     
       (compared using ==)
     # ./spec/controllers/miq_policy_controller/alerts_spec.rb:123:in `block (4 levels) in <top (required)>'
  4) MiqPolicyController::Alerts alert edit #alert_build_edit_screen it should select correct record when editing an existing alert
     Failure/Error: users_in_current_groups = User.with_current_user_groups.distinct.sort_by { |u| u.name.downcase }
     
     NoMethodError:
       undefined method `with_current_user_groups' for #<Class:0x000000000a44fa98>
     # ./app/controllers/application_controller.rb:764:in `build_user_emails_for_edit'
     # ./app/controllers/miq_policy_controller/alerts.rb:288:in `alert_build_edit_screen'
     # ./spec/controllers/miq_policy_controller/alerts_spec.rb:46:in `block (5 levels) in <top (required)>'
  5) MiqPolicyController::Alerts alert edit #alert_build_edit_screen it should skip id when copying all attributes of an existing alert
     Failure/Error: users_in_current_groups = User.with_current_user_groups.distinct.sort_by { |u| u.name.downcase }
     
     NoMethodError:
       undefined method `with_current_user_groups' for #<Class:0x000000000a44fa98>
     # ./app/controllers/application_controller.rb:764:in `build_user_emails_for_edit'
     # ./app/controllers/miq_policy_controller/alerts.rb:288:in `alert_build_edit_screen'
     # ./spec/controllers/miq_policy_controller/alerts_spec.rb:40:in `block (5 levels) in <top (required)>'
  6) ApplicationController#build_user_emails_for_edit listing users's emails which belongs to current user's groups and some of them was already selected
     Failure/Error: users_in_current_groups = User.with_current_user_groups.distinct.sort_by { |u| u.name.downcase }
     
     NoMethodError:
       undefined method `with_current_user_groups' for #<Class:0x000000000a44fa98>
     # ./app/controllers/application_controller.rb:764:in `build_user_emails_for_edit'
     # ./spec/controllers/application_controller_spec.rb:291:in `block (4 levels) in <top (required)>'
     # ./spec/controllers/application_controller_spec.rb:290:in `block (3 levels) in <top (required)>'
  7) ApplicationController#build_user_emails_for_edit finds users with groups which belongs to current user's groups
     Failure/Error: user_ids = User.with_current_user_groups.collect(&:userid)
     
     NoMethodError:
       undefined method `with_current_user_groups' for #<Class:0x000000000a44fa98>
     # ./spec/controllers/application_controller_spec.rb:264:in `block (3 levels) in <top (required)>'
  8) ApplicationController#build_user_emails_for_edit listing users's emails which belongs to current user's groups
     Failure/Error: users_in_current_groups = User.with_current_user_groups.distinct.sort_by { |u| u.name.downcase }
     
     NoMethodError:
       undefined method `with_current_user_groups' for #<Class:0x000000000a44fa98>
     # ./app/controllers/application_controller.rb:764:in `build_user_emails_for_edit'
     # ./spec/controllers/application_controller_spec.rb:273:in `block (4 levels) in <top (required)>'
     # ./spec/controllers/application_controller_spec.rb:272:in `block (3 levels) in <top (required)>'

Fixed in ManageIQ/manageiq-ui-classic#4023 (Merged)