Add method to allow access for tenant quotas #17926
Conversation
lpichler
force-pushed
the
restrict_tenant_quotas
branch
3 times, most recently
from
ca7a0b2
to
92f916f
Compare
| let(:tenant_admin_role) { FactoryGirl.create(:miq_user_role, :features => MiqProductFeature::TENANT_ADMIN_FEATURE) } | ||
|
|
||
| let(:tenant_1) { FactoryGirl.create(:tenant, :parent => root_tenant) } | ||
| let(:tenant_1_1) { FactoryGirl.create(:tenant, :name => 'Tenant 2', :parent => tenant_1) } |
There was a problem hiding this comment.
Please don't specify :name since there is a sequence on the factory
|
|
||
| let(:tenant_1) { FactoryGirl.create(:tenant, :parent => root_tenant) } | ||
| let(:tenant_1_1) { FactoryGirl.create(:tenant, :name => 'Tenant 2', :parent => tenant_1) } | ||
| let(:tenant_1_2) { FactoryGirl.create(:tenant, :name => 'Tenant 3', :parent => tenant_1, :divisible => false) } |
| let(:tenant_1_2) { FactoryGirl.create(:tenant, :name => 'Tenant 3', :parent => tenant_1, :divisible => false) } | ||
|
|
||
| let(:group_tenant_1_tenant_admin) { FactoryGirl.create(:miq_group, :miq_user_role => tenant_admin_role, :tenant => tenant_1) } | ||
| let(:user_tenant_1_tenant_admin) { FactoryGirl.create(:user, :userid => 'user', :miq_groups => [group_tenant_1_tenant_admin]) } |
There was a problem hiding this comment.
Should :userid be moved to a sequence in the factory?
There was a problem hiding this comment.
there is sequence for, so removing it from here
| let(:user_tenant_1_tenant_admin) { FactoryGirl.create(:user, :userid => 'user', :miq_groups => [group_tenant_1_tenant_admin]) } | ||
|
|
||
| let(:group_tenant_1_super_admin) { FactoryGirl.create(:miq_group, :miq_user_role => super_admin_role, :tenant => tenant_1) } | ||
| let(:user_tenant_1_super_admin) { FactoryGirl.create(:user, :userid => 'user', :miq_groups => [group_tenant_1_super_admin]) } |
There was a problem hiding this comment.
Does this work? We have a validation that userid needs to be unique within the region
There was a problem hiding this comment.
it was working because of lazy evaluation of let but we have sequence here for it so removing
lpichler
force-pushed
the
restrict_tenant_quotas
branch
from
92f916f
to
4ec38c7
Compare
|
@bdunne I added your suggestions, thanks! |
|
Checked commit lpichler@4ec38c7 with ruby 2.3.3, rubocop 0.52.1, haml-lint 0.20.0, and yamllint 1.10.0 |
In DB
Tenant has many Tenant Quotas
let's have tenant tree (in brackets are users)
and users S1 (with super-admin role) and U1 (with tenant-admin role)
From BZ is requested that user with tenant-admin role should not be able manage quotas from his tenant and ancestor but only from his children otherwise as before.
managemeans all operations:read, create, edit, delete.Example:
U1 can manage quotas just for T2 and T3.
Technically
This rule doesn't fit to our existing models RBAC or MiqProductFeature permissions. It is like MiqProductFeature permission with some special RBAC behaviour. But maybe I just need different point of view.
Suggested next steps
This method is planned to be added to restrict all needed parts in the application:
UI: to toolbar buttons(create, edit, delete), templates(view)
API: CRUD
Note: to include it in RBAC could eventually help partly but after moment when quotas are created and quotas are created - at moment when you press button SAVE in form of tenant quotas - it is late. But we can include to ensure view operations for tenant_quotas like RBAC::Filterer.filtered(TenantQuotas)
At this moment I just created this backend method and I am opened discussion, ideas comments, if needed.
TODOs
Links
@miq-bot assign @gtanzillo