-
Notifications
You must be signed in to change notification settings - Fork 357
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authorise manage tenant quotas as tenant product feature in UI #5123
Authorise manage tenant quotas as tenant product feature in UI #5123
Conversation
@miq-bot add_label hammer/yes |
@@ -166,7 +166,7 @@ def rbac_tenant_manage_quotas_reset | |||
end | |||
|
|||
def rbac_tenant_manage_quotas | |||
assert_privileges("rbac_tenant_manage_quotas") | |||
assert_privileges(MiqProductFeature.tenant_identifier('rbac_tenant_manage_quotas', params[:id])) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would be better if the call to MiqProductFeature.tenant_identifier
lived in assert_privileges
, if possible. This way UI developers don't necessarily need to be aware of it.
8ee9ce0
to
2b10a95
Compare
6e97be5
to
46d9603
Compare
@miq-bot assign @martinpovolny |
@@ -2081,6 +2081,10 @@ def identify_tl_or_perf_record | |||
end | |||
|
|||
def assert_privileges(feature) | |||
if MiqProductFeature.my_root_tenant_identifier?(feature) && params&.[](:id) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
params.key?(:id)
?
46d9603
to
685a43f
Compare
app/helpers/application_helper.rb
Outdated
# return feature that should be checked for the button that came in | ||
case pressed | ||
when "rbac_project_add", "rbac_tenant_add" | ||
"rbac_tenant_add" | ||
when "rbac_tenant_manage_quotas" | ||
MiqProductFeature.tenant_identifier('rbac_tenant_manage_quotas', resource_id) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it make sense to use the same logic as in assert_privileges
here?
(As in, don't hardcode rbac_tenant_manage_quotas
if this should be happening for every MiqProductFeature.my_root_tenant_identifier?(feature)
when resource_id
is not nil?)
This would also make it clear that calling tenant_identifier
with nil
as the second param shouldn't happen.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
all of this method is a hack
there was some generic mechanism and then someone added an "if" there for a particular button
now there's one more of such "if"s.
Then the UI team has to support this for ever.
@@ -1144,8 +1144,8 @@ def rbac_free_for_custom_button?(task, button_id) | |||
|
|||
def check_button_rbac | |||
# buttons ids that share a common feature id | |||
common_buttons = %w(rbac_project_add rbac_tenant_add) | |||
task = common_buttons.include?(params[:pressed]) ? rbac_common_feature_for_buttons(params[:pressed]) : rbac_feature_id(params[:pressed]) | |||
common_buttons = %w(rbac_project_add rbac_tenant_add rbac_tenant_manage_quotas) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you are expanding an exception that was not supposed to be there at all
@@ -2081,6 +2081,10 @@ def identify_tl_or_perf_record | |||
end | |||
|
|||
def assert_privileges(feature) | |||
if MiqProductFeature.my_root_tenant_identifier?(feature) && params.key?(:id) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
assert_privileged
was a rather clean method, not a pure function as it talks to a database, but given a state of the models it would return a result that would depend only on its single argument.
Not you are adding a side channel to it -- you talk to params
. This goes directly against the cleanup efforts that we are having.
b9014e8
to
100db67
Compare
100db67
to
838791c
Compare
@martinpovolny @himdel I overrode method |
@@ -8,6 +8,14 @@ module OpsController::OpsRbac | |||
'Tenant' => 'tenant' | |||
}.freeze | |||
|
|||
def role_allows?(**options) | |||
if MiqProductFeature.my_root_tenant_identifier?(options[:feature]) && params.key?(:id) | |||
options[:feature] = MiqProductFeature.tenant_identifier(options[:feature], params[:id].to_s.split("-").last) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why the split?
According to the tests, this is always just the id, are the tests wrong? ;)
(Or, if we're always dealing with trees, maybe something like ⬇️ ?)
_, _, id = TreeBuilder.extract_node_model_and_id(params[:id])
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes exactly I was looking for this, 👍
this goes for button (if it should display "Manage Tenant Quotas" button in toolbar) and for controller actions.
838791c
to
13a3f97
Compare
@miq-bot remove_label wip |
LGTM, merging now because build reasons 👍 , |
…_as_tenant_product_feature Authorise manage tenant quotas as tenant product feature in UI (cherry picked from commit ae4b7ad) https://bugzilla.redhat.com/show_bug.cgi?id=1468795
Hammer backport details:
|
WIP:
Scenario:
Let's have tenant structure:
According to the BZ user alpha needs to have forbidden access to managing quotas for tenant Alpha (user alpha) and allowed to managing quotas.
We can use for this recent feature called Dynamic product features according to tenants
that we will authorise dynamic tenant product features (
rbac_tenant_manage_quotas_tenant_<TENANT ID where we want/don't want to manage tenant quotas >
) to access managing quotas of .To accomplish this we need to change places where we are authorising
rbac_tenant_manage_quotas_tenant
torbac_tenant_manage_quotas_tenant_<TENANT ID where we want/don't want to manage tenant quotas >
This places are in UI and API in the PRs above
User alpha has this setting in role (rbac_tenant_manage_quotas_tenant is checked just for Omega Tenant)
which will forbid managing for tenant alpha
and allow manage quotas for omega tenant
Links
@miq-bot add_label enhancement, blocker