-
Notifications
You must be signed in to change notification settings - Fork 897
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add method to allow access for tenant quotas #17926
Conversation
ca7a0b2
to
92f916f
Compare
let(:tenant_admin_role) { FactoryGirl.create(:miq_user_role, :features => MiqProductFeature::TENANT_ADMIN_FEATURE) } | ||
|
||
let(:tenant_1) { FactoryGirl.create(:tenant, :parent => root_tenant) } | ||
let(:tenant_1_1) { FactoryGirl.create(:tenant, :name => 'Tenant 2', :parent => tenant_1) } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please don't specify :name
since there is a sequence on the factory
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
|
||
let(:tenant_1) { FactoryGirl.create(:tenant, :parent => root_tenant) } | ||
let(:tenant_1_1) { FactoryGirl.create(:tenant, :name => 'Tenant 2', :parent => tenant_1) } | ||
let(:tenant_1_2) { FactoryGirl.create(:tenant, :name => 'Tenant 3', :parent => tenant_1, :divisible => false) } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
let(:tenant_1_2) { FactoryGirl.create(:tenant, :name => 'Tenant 3', :parent => tenant_1, :divisible => false) } | ||
|
||
let(:group_tenant_1_tenant_admin) { FactoryGirl.create(:miq_group, :miq_user_role => tenant_admin_role, :tenant => tenant_1) } | ||
let(:user_tenant_1_tenant_admin) { FactoryGirl.create(:user, :userid => 'user', :miq_groups => [group_tenant_1_tenant_admin]) } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should :userid
be moved to a sequence in the factory?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there is sequence for, so removing it from here
let(:user_tenant_1_tenant_admin) { FactoryGirl.create(:user, :userid => 'user', :miq_groups => [group_tenant_1_tenant_admin]) } | ||
|
||
let(:group_tenant_1_super_admin) { FactoryGirl.create(:miq_group, :miq_user_role => super_admin_role, :tenant => tenant_1) } | ||
let(:user_tenant_1_super_admin) { FactoryGirl.create(:user, :userid => 'user', :miq_groups => [group_tenant_1_super_admin]) } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this work? We have a validation that userid
needs to be unique within the region
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it was working because of lazy evaluation of let but we have sequence here for it so removing
92f916f
to
4ec38c7
Compare
@bdunne I added your suggestions, thanks! |
Checked commit lpichler@4ec38c7 with ruby 2.3.3, rubocop 0.52.1, haml-lint 0.20.0, and yamllint 1.10.0 |
In DB
Tenant has many Tenant Quotas
let's have tenant tree (in brackets are users)
and users S1 (with super-admin role) and U1 (with tenant-admin role)
From BZ is requested that user with tenant-admin role should not be able manage quotas from his tenant and ancestor but only from his children otherwise as before.
manage
means all operations:read, create, edit, delete.Example:
U1 can manage quotas just for T2 and T3.
Technically
This rule doesn't fit to our existing models RBAC or MiqProductFeature permissions. It is like MiqProductFeature permission with some special RBAC behaviour. But maybe I just need different point of view.
Suggested next steps
This method is planned to be added to restrict all needed parts in the application:
UI: to toolbar buttons(create, edit, delete), templates(view)
API: CRUD
Note: to include it in RBAC could eventually help partly but after moment when quotas are created and quotas are created - at moment when you press button SAVE in form of tenant quotas - it is late. But we can include to ensure view operations for tenant_quotas like RBAC::Filterer.filtered(TenantQuotas)
At this moment I just created this backend method and I am opened discussion, ideas comments, if needed.
TODOs
Links
@miq-bot assign @gtanzillo