Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix Container* belongsto filter in Rbac::Filterer #18654

Merged
merged 3 commits into from
Apr 15, 2019
Merged

Fix Container* belongsto filter in Rbac::Filterer #18654

merged 3 commits into from
Apr 15, 2019

Conversation

NickLaMuro
Copy link
Member

ContainerGroup, among other classes, were not being filter based on it's Entitlements for a given user's role, as reported by this BZ:

https://bugzilla.redhat.com/show_bug.cgi?id=1631694

This not only includes ContainerGroup in the Rbac::Filterer's BELONGSTO_FILTER_CLASSES constant, but also makes sure it is one of the classes that is filtered via associations, and not as itself and it's descendants (which is what happens in else portion of Rbac::Filterer#get_belongsto_matches). Applies the same treatment to all Container* classes, since they also suffered from the same problem, and specs were created for each class.

There was a small bit of refactoring done in this PR, which was just to make the if clause more legible, but it is doing it in a way that doesn't completely retain the clause in it's original form (but is arguably more readable), so some eyes on that portion of things would be necessary. The refactoring effort can be put off if desired and done in a separate PR.

(Possible) Outstanding issue

While this does fix the issue described in the ticket, the MiqProductFeatures that are setup (and described as being present in the ticket) are not applied at all in Rbac (if at all). I don't know if this is something that is filtered elsewhere, but currently, the following filters:

- [x] Everything
  - [ ] Cloud Intel
  - [ ] Services
  - [ ] Compute
    - [ ] Clouds
    - [ ] Infrastructure
    - [ ] Physical Infrastructure
    - [x] Containers
      - [ ] Containers Dashboard
      - [x] Container Providers
	- [x] View
	- [ ] Operate
	- [ ] Modify
      - [x] Projects
	- [x] View
	- [ ] Operate
      - [x] Routes
	- [x] View
	- [ ] Operate
      - [x] Services
	- [x] View
	- [ ] Operate
      - [x] Replicators
	- [x] View
	- [x] Operate
      - [x] Pods
	- [x] View
	- [ ] Operate
      - [x] Containers Explorer
	- [x] Relationships
	  - [x] View Containers
	- [x] All Containers
	  - [x] View Containers
	  - [ ] Modify
      - [ ] Nodes
      - [x] Volumes
	- [x] View
	- [ ] Modify
	- [ ] Operate
      - [x] Builds
	- [x] View
	- [ ] Operate
      - [x] Registries
	- [x] View
	- [ ] Operate
      - [x] Images
	- [x] View
	- [ ] Operate
      - [x] Templates
	- [x] View
	- [x] Operate
      - [x] Containers Topology
	- [x] View

Does not do anything to my knowledge to limit viewing permissions in Rbac.

That said, it might limit it in the view/UI, but that is not being tested here (even though it is being setup in the QA steps below)

Links

Steps for Testing/QA

The provided gist above has two scripts to run, so follow the README.md instructions there.

@NickLaMuro
[Rbac::Filterer] Refactor get_belongsto_matches if
f2a00f9 
The `if` statement for `Rbac::Filterer#get_belongsto_matches` is getting
a bit unwieldy and hard to digest.

This simply breaks the logic out into it's own method, since a follow up
commit will add to it, just adding to the complexity.
@NickLaMuro
Copy link
Member Author

@miq-bot add_label bug
@miq-bot assign @kbrock

cc @lpichler

@miq-bot miq-bot added the bug label Apr 12, 2019
@NickLaMuro
[Rbac::Filterer] Fix Container* belongsto filter
8fbebdb 
`ContainerGroup`, among other classes, were not being filter based on
it's Entitlements.

This not only includes `ContainerGroup` in the `Rbac::Filterer`'s
`BELONGSTO_FILTER_CLASSES` constant, but also makes sure it is one of the
classes that is filtered via associations, and not as itself and it's
descendants.

Applies the same treatment to all `Container*` classes.
@NickLaMuro NickLaMuro force-pushed the fix-container-group-entitlement-filtering-in-rbac branch from 7f085c5 to 8fbebdb Compare April 12, 2019 19:15
@NickLaMuro
[FIXUP] ASSOCIATED_BELONGSTO_MODELS as a method
45834ce 
Regarding concerns brought up for having class names in constants
causing potential autoloading issues in certain scenarios (the appliance
build for examples), this has been moved from a constant to a method to
avoid that case.
@miq-bot
Copy link
Member

miq-bot commented Apr 12, 2019

Checked commits NickLaMuro/manageiq@f2a00f9~...45834ce with ruby 2.3.3, rubocop 0.52.1, haml-lint 0.20.0, and yamllint 1.10.0
2 files checked, 0 offenses detected
Everything looks fine. 🍰

kbrock
kbrock reviewed Apr 15, 2019
View reviewed changes
lib/rbac/filterer.rb
end
end

def associated_belongsto_models
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

future reference: putting into a constant preloads all classes. not good for load time and development re-loading.

he was not a fan of safe_constantize - so we agreed that this was the best solution.

@kbrock
Copy link
Member

kbrock commented Apr 15, 2019

also note, the first commit (refactor) simplifies the second commit (the addition of the extra clases)

@kbrock kbrock merged commit 171c281 into ManageIQ:master Apr 15, 2019
@JPrause
Copy link
Member

JPrause commented Apr 18, 2019

@kbrock if this can be backported, can you add the label: hammer/yes

@NickLaMuro
Copy link
Member Author

@miq-bot add_label hammer/yes

simaishi pushed a commit that referenced this pull request Apr 22, 2019
@kbrock @simaishi
Merge pull request #18654 from NickLaMuro/fix-container-group-entitle…
9abba2b 
…ment-filtering-in-rbac

Fix Container* belongsto filter in Rbac::Filterer

(cherry picked from commit 171c281)

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1702076
@simaishi
Copy link
Contributor

Hammer backport details:

$ git log -1
commit 9abba2b4e6e4811bbd6242ad1e16543047a2c7a6
Author: Keenan Brock <[email protected]>
Date:   Mon Apr 15 06:33:33 2019 -0600

    Merge pull request #18654 from NickLaMuro/fix-container-group-entitlement-filtering-in-rbac
    
    Fix Container* belongsto filter in Rbac::Filterer
    
    (cherry picked from commit 171c2815e96c61858a224ec431b939f8c39be1b2)
    
    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1702076

@mfeifer mfeifer added this to the Sprint 109 Ending Apr 15, 2019 milestone Jan 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kbrock kbrock kbrock left review comments

Assignees

@kbrock kbrock

Labels
bug core/rbac hammer/backported
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@NickLaMuro @miq-bot @kbrock @JPrause @simaishi @mfeifer