Make all public images be visible for provisioning. #17058
Conversation
|
@lpichler Can you take a look to it? |
|
@alexander-demichev so far looks good but can you add some specs to see RBAC cases ? |
|
@lpichler Sure, I will do it |
alexander-demicev
force-pushed
the
public-images-tenants
branch
from
39a8f3d to
f78b823
Compare
|
@lpichler Hi, I added some tests, is it ok now? |
alexander-demicev
changed the title
|
This pull request is not mergeable. Please rebase and repush. |
alexander-demicev
force-pushed
the
public-images-tenants
branch
2 times, most recently
from
0194b99 to
a2f4837
Compare
|
Hi @lpichler, is there anything else @alexander-demichev needs to do on this? Thanks! :) |
|
Hi @alexander-demichev, your test are good but as you nicely built objects user - group - role, can you also add some test with RBAC call ? (you will need to create some template cloud ) let (:cloud_template_1) { }
let (:cloud_template_2) { }
it 'returns all cloud templates when user is admin ' do
results = described_class.search(:class => CloudTemplate, :user => any_user)
expect(results).to (CloudTemplate.all)
end
it 'returns only cloud templates related to restricted user is admin' do
...
endand such specs what I am suggesting are placed usually in |
alexander-demicev
force-pushed
the
public-images-tenants
branch
from
a2f4837 to
509926c
Compare
|
This pull request is not mergeable. Please rebase and repush. |
|
@alexander-demichev are there further review/edits needed? |
alexander-demicev
force-pushed
the
public-images-tenants
branch
2 times, most recently
from
d627e41 to
1be1571
Compare
alexander-demicev
force-pushed
the
public-images-tenants
branch
from
1be1571 to
46053ba
Compare
| @@ -122,6 +122,13 @@ def self.display_name(number = 1) | |||
| n_('Image', 'Images', number) | |||
| end | |||
|
|
|||
| def self.tenant_id_clause(user_or_group) | |||
| template_tenant_ids = MiqTemplate.accessible_tenant_ids(user_or_group, Rbac.accessible_tenant_ids_strategy(MiqTemplate)) | |||
There was a problem hiding this comment.
this can be just
accessible_tenant_ids(user_or_group, Rbac.accessible_tenant_ids_strategy(self))
spec/lib/rbac/filterer_spec.rb
Outdated
| let!(:cloud_template) { FactoryGirl.create(:template_cloud, :tenant => tenant_3, :publicly_available => true) } | ||
|
|
||
| context "returns all public cloud templates" do | ||
| it "" do |
There was a problem hiding this comment.
missing description for it ""
spec/lib/rbac/filterer_spec.rb
Outdated
| let(:tenant_3) { FactoryGirl.create(:tenant, :parent => tenant_2) } # T3 | ||
| let!(:cloud_template) { FactoryGirl.create(:template_cloud, :tenant => tenant_3, :publicly_available => true) } | ||
|
|
||
| context "returns all public cloud templates" do |
There was a problem hiding this comment.
context is not needed here, it looks like that message should in related 'it'
There was a problem hiding this comment.
you can learn more here: http://www.betterspecs.org
spec/lib/rbac/filterer_spec.rb
Outdated
|
|
||
| context "ignores private cloud templates" do | ||
| let!(:cloud_template) { FactoryGirl.create(:template_cloud, :tenant => tenant_3, :publicly_available => false) } | ||
| it "" do |
|
@alexander-demichev I put some comments here, otherwise LGTM 👍 @miq-bot assign @gtanzillo |
alexander-demicev
force-pushed
the
public-images-tenants
branch
from
46053ba to
e5d2edd
Compare
|
Checked commit alexander-demicev@e5d2edd with ruby 2.3.3, rubocop 0.52.1, haml-lint 0.20.0, and yamllint 1.10.0 |
|
Something about this API feels off...I don't understand why a model would have clause like this as opposed to an ActiveRecord scope. @NickLaMuro @kbrock Thoughts here? |
|
@Fryguy at first glance, I have seen this before: So it is a method in this case as well, but defined in a I mean, as far as whether it is a scope or not, I guess I don't have an opinion (since one is just an shorthand for the other). And I think you are more concerned about the pattern that is in place for tenancy plus RBAC, and for that, I don't know what I think without giving it some more thought. This seems to be be at least following the pattern in place for the But unsure if that pattern is a good thing overall. |
|
As @NickLaMuro pointed out, that is the pattern we've been using for cases where the generic tenant access doesn't fit a particular class. It may not be ideal but we've done this for a handful of classes already. |
|
@alexander-demichev @gtanzillo Can this be |
|
@simaishi, Yes, I think so. I'll set the label |
Make all public images be visible for provisioning. (cherry picked from commit 178f498) Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1598520
|
Thanks @gtanzillo Gaprindashvili backport details: |
This PR makes all public images visible for tenants. The issue is that when we have MiQ user with visibility to 1 cloud tenant public images of admin user are not visible.
https://bugzilla.redhat.com/show_bug.cgi?id=1524368
ping @aufi