Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add tenant filtering for templates in provisioning and summary pages #17851

Merged
merged 1 commit into from
Oct 10, 2018

Conversation

alexander-demicev
Copy link

@alexander-demicev alexander-demicev commented Aug 13, 2018

This PR adds tenant filtering for templates in provisioning and summary pages.
I added new condition which finds all templates in case if user is admin, in case if user in not admin only private images that belong to user's tenant and public images should be shown.

https://bugzilla.redhat.com/show_bug.cgi?id=1524368
https://bugzilla.redhat.com/show_bug.cgi?id=1598520
https://bugzilla.redhat.com/show_bug.cgi?id=1546539

@aufi

@@ -36,6 +36,19 @@ def self.without_volume_templates
"ManageIQ::Providers::Openstack::CloudManager::VolumeSnapshotTemplate"])
end

def self.applied_filtering
tenant = User.current_user.current_group.tenant
if tenant.source_id
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR works good for me (at least from OpenStack provider point of view).

Can we get MIQ-core eyes on this PR? @Ladas @agrare

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lpichler hm, looks this this should be done via the tenant mapping? This looks like a wrong place.

@aufi Also I am confused about which tenant is in use here. Cause it looks like we use MIQ tenant, but we should rather use the mapped tenants? Or there should be 2 paths, with tenant mapping on&off?

@aufi
Copy link
Member

aufi commented Aug 28, 2018

current_group.tenant is MIQ Tenant of current user, if it was created by tenant-mapping feature, tenant.source_id points to OpenStack-mapped tenant (CloudTenant), otherwise it is nil. (assuming that source_id attribute is not used for other purposes by other providers or core which I'm not sure)

@lpichler
Copy link
Contributor

@alexander-demichev isn't logic described in description covered by #17058 ? If not, it should be added in RBAC call (like you did in #17058 ) or in some mixin.

I think that when what to list templates (maybe some special type) we want to get same result, independently where we call it, especially when it depends on user.

Also I noticed that you are not asking for admin user you stated in description. (or is it accomplished by source_id condition ? )

@aufi

assuming that source_id attribute is not used for other purposes by other providers or core which I'm not sure
that's right.

so we need to get in to RBAC call:

Rbac.filtered(MiqTemplate or do you need it only for any special model Cloud:: ? )

and then we need to spec as well.

if you have any other questions, let me know !

thanks!

@alexander-demicev alexander-demicev force-pushed the named-scopes-templates branch 2 times, most recently from e3f88b0 to 0f70bd0 Compare September 6, 2018 12:43
@alexander-demicev
Copy link
Author

@lpichler I added new tests, can you review PR? :)

@alexander-demicev
Copy link
Author

@lpichler Hi, can I get a review?

it "returns all public cloud templates" do
it "finds tenant's private cloud templates" do
User.current_user = user_2
tenant_2.source_id = 1
Copy link
Contributor

@lpichler lpichler Oct 3, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why there is hardcoded value 1 ? Isn't possible to establish relation ?

let(:group_2) { FactoryGirl.create(:miq_group, :tenant => tenant_2) } # T1
let(:user_2) { FactoryGirl.create(:user, :miq_groups => [group_2]) }

context "when tenant doesn't have source_id" do
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you add something like when tenant is not mapped ? + on other places

expect(results).to match_array([cloud_template, cloud_template_root])
end

context "should ignore" do
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please write reason why it should ignore instead of, is it because of publicly_available => false ?


context "should ignore" do
let!(:cloud_template) { FactoryGirl.create(:template_cloud, :tenant => tenant_3, :publicly_available => false) }
it "private cloud templates" do
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

always it "verb something" like "returns .." as you have it on other places

expect(results).to match_array([cloud_template_2, cloud_template_3])
end

let(:cloud_template_5) { FactoryGirl.create(:template_cloud, :tenant => default_tenant, :publicly_available => true) }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it have to be evaluated before RBAC is called. And can you put it together after line context "when tenant has source_id "

            let!(:cloud_template_2) { FactoryGirl.create(:template_cloud, :tenant => tenant_2, :publicly_available => false) }
            let!(:cloud_template_3) { FactoryGirl.create(:template_cloud, :tenant => tenant_2, :publicly_available => true) }
            let!(:cloud_template_4) { FactoryGirl.create(:template_cloud, :tenant => default_tenant, :publicly_available => false) }
            let!(:cloud_template_5) { FactoryGirl.create(:template_cloud, :tenant => default_tenant, :publicly_available => true) }

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

with this, it is failing for me, so you probably need more changes here, but now you it should cause sporadic failures.

thanks

@JPrause
Copy link
Member

JPrause commented Oct 3, 2018

@miq-bot add_label blocker

@miq-bot miq-bot added the blocker label Oct 3, 2018
@JPrause
Copy link
Member

JPrause commented Oct 3, 2018

@alexander-demichev if this can be backported, can you add the gaprindashvili/yes and the hammer/yes labels

@alexander-demicev
Copy link
Author

@lpichler I refactored tests, is ok now? I tried to play with let!, but seems that the only way to make tests work is to create factories right in it block

@miq-bot
Copy link
Member

miq-bot commented Oct 5, 2018

Checked commit alexander-demicev@280fd75 with ruby 2.3.3, rubocop 0.52.1, haml-lint 0.20.0, and yamllint 1.10.0
3 files checked, 0 offenses detected
Everything looks fine. 🍪

@lpichler
Copy link
Contributor

lpichler commented Oct 5, 2018

@miq-bot assign @gtanzillo

@alexander-demicev
Copy link
Author

@gtanzillo hi, can you merge/review?

@@ -124,9 +124,13 @@ def self.display_name(number = 1)

def self.tenant_id_clause(user_or_group)
template_tenant_ids = MiqTemplate.accessible_tenant_ids(user_or_group, Rbac.accessible_tenant_ids_strategy(self))
return if template_tenant_ids.empty?
tenant = User.current_user.current_group.tenant
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be simplified to User.current_user.current_tenant

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, should this be looking at user_or_group that is passed in instead of User.current_user?

@JPrause
Copy link
Member

JPrause commented Oct 10, 2018

@gtanzillo is this ready to merge?
@alexander-demichev can you add the gaprindashvili/yes and the hammer/yes labels

@alexander-demicev
Copy link
Author

@miq-bot add_label gaprindashvili/yes

@alexander-demicev
Copy link
Author

@miq-bot add_label hammer/yes

@gtanzillo gtanzillo added this to the Sprint 97 Ending Oct 22, 2018 milestone Oct 10, 2018
@gtanzillo gtanzillo merged commit 142a184 into ManageIQ:master Oct 10, 2018
simaishi pushed a commit that referenced this pull request Oct 11, 2018
Add tenant filtering for templates in provisioning and summary pages

(cherry picked from commit 142a184)

https://bugzilla.redhat.com/show_bug.cgi?id=1524368
@simaishi
Copy link
Contributor

Hammer backport details:

$ git log -1
commit 15058e549987cba58b342ba3d675719093212ffe
Author: Gregg Tanzillo <[email protected]>
Date:   Wed Oct 10 14:08:21 2018 -0400

    Merge pull request #17851 from alexander-demichev/named-scopes-templates
    
    Add tenant filtering for templates in provisioning and summary pages
    
    (cherry picked from commit 142a184d4619fd9d3ecebb6cff71ccd13667832e)
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1524368

simaishi pushed a commit that referenced this pull request Oct 11, 2018
Add tenant filtering for templates in provisioning and summary pages

(cherry picked from commit 142a184)

https://bugzilla.redhat.com/show_bug.cgi?id=1623561
@simaishi
Copy link
Contributor

Gaprindashvili backport details:

$ git log -1
commit 119d2691ca63f5730e7f7cfa37b8b7c029e7fa2a
Author: Gregg Tanzillo <[email protected]>
Date:   Wed Oct 10 14:08:21 2018 -0400

    Merge pull request #17851 from alexander-demichev/named-scopes-templates
    
    Add tenant filtering for templates in provisioning and summary pages
    
    (cherry picked from commit 142a184d4619fd9d3ecebb6cff71ccd13667832e)
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1623561

@simaishi
Copy link
Contributor

oops... wrong BZ in the git commit msg for G backport... The correct one is: https://bugzilla.redhat.com/show_bug.cgi?id=1598520

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants