Fix tag filtering for indirect RBAC #15088
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
filtered_ids = ids of items determined from filters like belongs to filter, managed filter, self_service user filter
tenant_filter_ids = additional filter based on tenant hiearchy (only for indirect rbac)
before:
there was a union for filtered_ids and tenant_filter
which was selected improperly because both
sets of ids are basically expressing limitation so there
have to find intersection.
example:
Tenant:
MyCompany->
Tenant1 ->
Tenant2
User is tight with group(with Tenant2) and role with
tag filter A
Vm1 Belongs to Tenant2 and is not tagged with any tag
Vm2 Belongs to Tenant2 and is tagged with tag A
the user have to see only VMs from his tenant and
from these VMs only which are tagged with tag A
————
this covers
when filtered_ids and tenant_filter_ids are not empty
when filtered_ids is not nil and tenant_filter_ids is nil then return filtered_ids when filtered_ids is nil and tenant_filter_ids is nil then return nil
lpichler
changed the title
|
Checked commits lpichler/manageiq@7f18378~...e4a78ce with ruby 2.2.6, rubocop 0.47.1, and haml-lint 0.20.0 |
lpichler
changed the title
|
@lpichler unrecognized command 'remove', ignoring... Accepted commands are: add_label, assign, close_issue, move_issue, remove_label, rm_label, set_milestone |
|
@miq-bot remove_label wip |
simaishi
pushed a commit
that referenced
this pull request
May 16, 2017
…t_rbac Fix tag filtering for indirect RBAC (cherry picked from commit 2facb0b) https://bugzilla.redhat.com/show_bug.cgi?id=1451395
|
Fine backport details: |
simaishi
pushed a commit
that referenced
this pull request
May 16, 2017
…t_rbac Fix tag filtering for indirect RBAC (cherry picked from commit 2facb0b) https://bugzilla.redhat.com/show_bug.cgi?id=1451396
|
Euwe backport details: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
in #14095 was added tenant scope filter
for tenant restriction for associated models(indirect RBAC).
In method
combine_filtered_idswas the issue thatidsdetermined by tag filters, belongs filters and self-services users were joined toidsdetermined by tenant scope filter.But both sets of
idsexpress limitation so they have to be combined by intersection.Example:
Tenant:
MyCompany->
Tenant1 ->
Tenant2
User is tight with group(with Tenant2) and role with
filtering by tag 'my_tag'
Vm1 Belongs to Tenant2 and is not tagged with any tag
Vm2 Belongs to Tenant2 and is tagged with tag 'my_tag'
the user have to see only VMs from his tenant and
from these VMs he will only VMs which are tagged with tag 'my_tag'.
Links
https://bugzilla.redhat.com/show_bug.cgi?id=1448994
#14095
@miq-bot add_label fine/yes
@miq-bot add_label euwe/yes
@miq-bot assign @gtanzillo
cc @kbrock
@miq-bot add_label bug, rbac, blocker