Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1596738 - After MiqRequest was made taggable, we're not able to see requests if our users are in groups with managed tags
Summary: After MiqRequest was made taggable, we're not able to see requests if our use...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance
Version: 5.9.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: GA
: 5.10.0
Assignee: Joe Rafaniello
QA Contact: Shveta
URL:
Whiteboard:
Depends On:
Blocks: 1597321
TreeView+ depends on / blocked
 
Reported: 2018-06-29 14:55 UTC by Joe Rafaniello
Modified: 2019-02-11 14:06 UTC (History)
7 users (show)

Fixed In Version: 5.10.0.3
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1597321 (view as bug list)
Environment:
Last Closed: 2019-02-11 14:06:52 UTC
Category: ---
Cloudforms Team: ---
Target Upstream Version:


Attachments (Terms of Use)

Description Joe Rafaniello 2018-06-29 14:55:56 UTC
Description of problem: After MiqRequest was made taggable in the PR [1] for BZ [2], we cannot see provision requests our users have created if the users are in groups with managed tags.

Credit goes to github user LorkScorguar who reported this issue and provided lots of diagnostics to help us fix this properly.

From their comments:

"After this fix, I don't have error on requests page, but with a account tied to a subtenant, i'm unable to see any requests even my own."

"This is what I have:
rootTenant
|
subTenant
/ | 
sub2Tenant sub2Tenant2 sub2Tenant3

if a user from sub2Tenant create a request, he can't see other tenant requests (normal) but he can't see request on his tenant (abnormal), even he can't see his own requests.
User from subTenant are also unable to see requests from descendant tenant.

All users get rights from custom roles, not the default ones. I don't know if this can be the problem."


"I found the problem. It's not related to role, but to my group. On my group I have a filter by tag which is used to restrict view on some object, but miq_requests doesn't have tags, so users are unable to see their requests."


Here are the informations:
Using the same tenant tree as before, this is what I have:

           rootTenant
               |
            subTenant
   /           |               \
sub2Tenant sub2Tenant2 sub2Tenant3
2Tags:

business_group, can be: team1, team2, team3
business_unit, can be: fr, de, uk
We have 3 user groups:
groupA, attached to rootTenant and no filter, custom role full access
groupB, attached to rootTenant and filter business_unit=fr, custom role access to catalog, services and machines
groupC, attached to sub2Tenant and filter business_unit=fr & business_group=teamC, custom role access to catalog, services and machines (same as for groupB)

groupA have no problem seeing requests
groupB and groupC can see any requests even their own
I tried to remove the filter tag on groupB and then they are able to see requests, but I can't keep it like that.

I experiment with requests and giving group right to approve/deny + tag_assign on request allow user to see the request, but tag_assign only didn't help.


[1] https://github.com/ManageIQ/manageiq/pull/17466
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1576129


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Update to 5.8.4.4 OR on 5.9.2, apply the 5.9.2 hotfix found https://bugzilla.redhat.com/show_bug.cgi?id=1583710#c2
2. Assign tags such as /managed/environments/prod to a group for your user
3. Create any request, such as a provision request
4. Try to view this request in the UI as this user

Actual results:
User cannot see their own requests.

Expected results:
User can see their requests, any from within their tenant and any requests from subtenants.

Additional info:

This is a 5.8 and 5.9 only bug as 5.10 has not yet shipped.

https://bugzilla.redhat.com/show_bug.cgi?id=1576129 (5.10 - ON_QA)

https://bugzilla.redhat.com/show_bug.cgi?id=1583710 (5.9 - Verified, in 5.9.3.1, not shipped, hotfix provided for 5.9.2 and follow up issue from customer was reported after using the hotfix)

https://bugzilla.redhat.com/show_bug.cgi?id=1583711 (shipped in 5.8.4.4)

Comment 2 Dave Johnson 2018-06-29 15:02:14 UTC
Please assess the impact of this issue and update the severity accordingly.  Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a reminder on each severity's definition.

If it's something like a tracker bug where it doesn't matter, please set the severity to Low.

Comment 4 CFME Bot 2018-06-29 16:51:27 UTC
New commit detected on ManageIQ/manageiq/master:

https://github.com/ManageIQ/manageiq/commit/f8c05532cf654cff8e39bded83c25af8fbec281c
commit f8c05532cf654cff8e39bded83c25af8fbec281c
Author:     Joe Rafaniello <jrafanie@redhat.com>
AuthorDate: Fri Jun 29 10:59:11 2018 -0400
Commit:     Joe Rafaniello <jrafanie@redhat.com>
CommitDate: Fri Jun 29 10:59:11 2018 -0400

    Remove Request taggable and prevent tag filtering

    MiqRequest was changed to allow ownership for self service and limited
    self-service users in ManageIQ #17208, BZ #1545395

    This caused a problem if you had tag filters assign to a user's group
    undefined method `find_tags_by_grouping'.  This was fixed in
    ManageIQ #17466, BZ #1576129, and shipped with:

    Fine: BZ #1583711
    Gaprindindashvili: BZ #1583710

    Unfortunately, this second fix to add taggable caused a new bug: users in
    groups having tag filters could not see their own requests.

    This commit changes MiqRequest to no longer be taggable, since it's not
    even taggable in the UI and instead, we add MiqRequest to a list of
    models that are RBAC'able but not taggable so we don't try to filter
    MiqRequest based on a user's group tag filters.

    Credit goes to github user LorkScorguar who reported this issue and
    provided lots of diagnostics to help us fix this properly.

    To test this, simply assign managed filters to a user's group, such as
    /managed/environments/production, create a request for that user and
    try to see that user's request.  They couldn't see it if they received
    the intermediate fix, #17466, or if they didn't receive that fix, they'd
    receive the `find_tags_by_grouping` error shown above.

    For gaprindashvili and fine:
    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1596738

    For hammer:
    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1576129

 app/models/miq_request.rb | 2 -
 lib/rbac/filterer.rb | 2 +-
 spec/lib/rbac/filterer_spec.rb | 41 +
 3 files changed, 42 insertions(+), 3 deletions(-)

Comment 6 Shveta 2018-07-12 20:06:02 UTC
Requests are visible to user belonging to a group that is tagged.
Verified in 5.10.0.3.20180705151325_ce4d2b5


Note You need to log in before you can comment on or make changes to this bug.