Security Groups provisioning UI

[gildub]

Adds controller actions with task queueing
Validation using supports feature mixin.
Adds new and edit views with javascript

https://bugzilla.redhat.com/show_bug.cgi?id=1394278

Access through left navigation: Networks -> Security Groups - toolbar Configuration

[tzumainn]

@miq-bot add_label euwe/yes

[miq-bot]

<pr_mergeability_checker />This pull request is not mergeable. Please rebase and repush.

[gildub]

@martinpovolny could you please re-review?

[gildub]

@himdel, @dclarizio, can you please do a review?

[martinpovolny]

we really need to make the "button" and "x_button" actions simple like here: https://github.com/ManageIQ/guides/blob/master/ui/button_actions.md

or at least make it a simple case so that it can be easily refactored later.

Someone is going to have a hell of a job refactoring the remaining button methods so let's not make it worse with new code.

Just make a simple case based on params[:pressed]. And remove especially the part and below.

elsif !flash_errors? && @refresh_div == "main_div" && @lastaction == "show_list"

i

Btw similar code:

app/controllers/cloud_network_controller.rb:24
app/controllers/cloud_subnet_controller.rb:16
app/controllers/network_router_controller.rb:16

[gildub]

@martinpovolny,

I understand the idea, meanwhile that's not fair, this is not introducing anything new code at all and certainly not making it worse either, just using plain old approach like 99% of the current existing def button code. I'm happy to help with the refactoring but into another PR.

[martinpovolny]

It would be nice if everyone picked the cleaner examples for new stuff but I understand your point. Sure we can do cleanup in a follow up PR, actually I created several PRs that try to deal with this in several controllers. I just want to make sure that we don't create refactoring TODOs faster than we resolve them.

[himdel]

Same here, can you please provide info where to find this, and a screenshot? :)

[tzumainn]

@gildub I think this PR may be missing the _center.rb updates that update the toolbars... ?

[himdel]

should be find(s)

[gildub]

Done.

[gildub]

@tzumainn, you're right the toolbar/*_center got lost during the PR backend/UI split! Thanks

[gildub]

@himdel, I updated PR commit indicating the menu path for the feature.
Also fixed an issue with task error in flash.
Should be all green now.

[tzumainn]

This needs to be something like:

options[:cloud_tenant] = find_by_id_filtered(CloudTenant, params[:cloud_tenant_id]) if params[:cloud_tenant_id]

Because the model expects options to include :cloud_tenant, and not :cloud_tenant_id (I'm currently fixing this in other places)

[gildub]

Done, thanks.

[gildub]

@himdel, @martinpovolny, could you please review? Thanks

[himdel]

So..

Unable to create Security Group "abc": Expected([200, 204]) <=> Actual(401 Unauthorized) excon.error.response :body => "{\"error\": {\"message\": \"The request you have made requires authentication.\", \"code\": 401, \"title\": \"Unauthorized\"}}" :cookies => [ ] :hea...

is not a great error message, but definitely better than nothing :).

However, I'm also getting a Security Group "abc" created success message on a different provider, but the group never appears in the list. (In fact, I have not been able to make any new group appear in the list at all).

Furthermore, this allows editing non-openstack security groups, which is nice, except it fails while loading the data for the edit screen with a undefined method 'name' for nil:NilClass [security_group/security_group_form_fields] :(

EDIT: I've also updated the description to include the toolbar name and a screenshot, please try to do so in the future ;)

[gildub]

@himdel ,

I'll run new set of tests ASAP.
Not sure about the other(s) non openstack providers, not my scope.
Re the description, thanks. Although include a screen shot seems overkill to me (BTW, how do you include one?).

[gildub]

@himdel,

I've re-tested, Security Group create/delete/update works fine.
Please be aware, the modification won't appear until the back-end gets a refresh, it's the same behaviour for all network items, there is granular refresh available yet.

Regarding the error message you got earlier (Unauthorized):

• Could you please describe how you got there? I'm asking because normally once an openstack provider (cloud or infra) is correctly registered, I can't see how that would happen.
• That said I believe we could/should do better at wrapping the errors propagated back from fog-openstack (raw commands). But we need to do that consistently accross all items that use the same approach, which mean network, cloud_tenant, cloud_volume, etc. I won't address it only here.

Thanks

[himdel]

Not sure about the other(s) non openstack providers, not my scope.

Sorry but it has to be. They don't need to have the full functionality, but they can't just crash. Right now, the toolbar button can only check for feature support in the detail screen so you can't probably use that .. but make the code at least detect the situation and redirect you back to the list screen with an error flash about the operation not being supported or something.

Re the description, thanks. Although include a screen shot seems overkill to me (BTW, how do you include one?).

No problem :) and you just drag a image to the textarea ..and that's it :). (And it is expected for every UI change PR.)

Please be aware, the modification won't appear until the back-end gets a refresh, it's the same behaviour for all network items, there is granular refresh available yet.

Uh.. that .. sounds bad. Outside my area, so I'll suppose that's how it's supposed to be then, but it's very inconsistent with the rest of the UI. (Though maybe the success message could mention that the update will be visible only after the next refresh?)

That said I believe we could/should do better at wrapping the errors propagated back from fog-openstack (raw commands). But we need to do that consistently accross all items that use the same approach, which mean network, cloud_tenant, cloud_volume, etc. I won't address it only here.

Agreed completely, parsing out those errors needs to be done systematically, I'm also seeing some code in #12551 that could use better exception details :).

[himdel]

Could you please describe how you got there? I'm asking because normally once an openstack provider (cloud or infra) is correctly registered, I can't see how that would happen.

Well, I have two openstack providers, with one, it always succeeds and never appears on the list - there I'll assume everything works and you just need the refresh.

With the other one, creating any security group always causes that message, but indeed, trying to revalidate my login fails - so I guess it correctly fails, and that just that message can use more love in a separate PR :). (This one is infra whereas the other one is cloud, but .. my bet is more on the authentication thing there..)

[tzumainn]

@himdel Out of curiosity, do you have examples of functionality where update - or create - update the MIQ object outside of refresh? The core team told that coding things that way was very bad.

[himdel]

@himdel Out of curiosity, do you have examples of functionality where update - or create - update the MIQ object outside of refresh? The core team told that coding things that way was very bad.

I'm not arguing with that, I don't really know about the backend.. But on most screens, adding an object actually causes such object to be added, editing an object's name causes such object to be renamed, etc..

[himdel]

Just to summarize.. the only blocker I'm seeing here is the fact that the code is not prepared to handle editing security groups it can't actually edit and needs to handle such failure gracefully..

[himdel]

Aah.. found another problem..

1. Go to /cloud_tenant/show/10000000000011?display=security_groups (assuming such a tenant exists) - Compute > Clouds > Tenants - click a tenant detail, click on the security groups in the summary detail.
2. pick any group (checkbox)
3. do edit or delete - neither works from there.

(If you're looking for how, @ZitaNemeckova is fixing these for all the existing code in #12551.)

[gildub]

@himdel,

According to my tests, I cannot reproduce any of the aforementioned issues:

• It effectively seems you had an authentication issue with the Openstack Infra provider.
• I've no issue with editing whether directly using Networks -> Security Group -> Edit or through
  Compute -> Clouds -> Tenants -> Relationships -> Security Groups
  Could you please re-test/verify?

Regarding filtering out non Openstack Providers, wouldn't the pattern be for a button class
to check the associated object supports a given feature? Because if that's the case then we might be facing an issue with the button code.

We effectively need to have better wrapping of raw errors, I'm tempted to create an issue on this matter, meanwhile I believe some discussion might be needed by the providers team.

[Ladas]

@gildub @himdel I think the button in lists is using the supports only at a class level, it cannot check each element in the list for supporting of the feature now. (It would require a check based on selection of the item)

We should have a similar check as assert_privileges, for support, for each action. So e.g. assert_supported, @durandom do we have such method for UI use yet?

[himdel]

@gildub..

It effectively seems you had an authentication issue with the Openstack Infra provider.

Agreed, that part is on my end, please disregard :).

I've no issue with editing whether directly using Networks -> Security Group -> Edit or through
Compute -> Clouds -> Tenants -> Relationships -> Security Groups, Could you please re-test/verify?

Separate comment..

Regarding filtering out non Openstack Providers, wouldn't the pattern be for a button class
to check the associated object supports a given feature? Because if that's the case then we might be facing an issue with the button code.

Exactly as @Ladas said, the toolbars currently support such feature only for the detail screen, not for the list screen. (It is in the works though.. :))

We effectively need to have better wrapping of raw errors, I'm tempted to create an issue on this matter, meanwhile I believe some discussion might be needed by the providers team.

Agreed, definitely warrants an issue :).

[himdel]

I've no issue with editing whether directly using Networks -> Security Group -> Edit or through
Compute -> Clouds -> Tenants -> Relationships -> Security Groups, Could you please re-test/verify?

Retested... from Networks -> Security Group -> Edit:

an openstack security group

OK, doesn't change in the UI after saving, but seems that's the expected behaviour.

an azure security group

Error caught: [NoMethodError] undefined method `name' for nil:NilClass
/home/himdel/manageiq/app/controllers/security_group_controller.rb:54:in `security_group_form_fields'

Seems like the culprit is :cloud_tenant_name => security_group.cloud_tenant.name, - apparently not all security groups have a cloud tenant.

Exactly the same goes for Amazon security groups, and indeed for one openstack group as well.

[himdel]

I've no issue with editing whether directly using Networks -> Security Group -> Edit or through
Compute -> Clouds -> Tenants -> Relationships -> Security Groups, Could you please re-test/verify?

Now from Compute -> Clouds -> Tenants -> Relationships -> Security Groups:

clicking on a security group detail, and then doing Edit

Works fine, no issues with missing tenant there, no non-openstack groups .. no problem.

clicking edit when in the list, with a single group selected

No route matches {:action=>"layouts/flash_msg", :controller=>"cloud_tenant", :id=>nil} [cloud_tenant/button]

Error caught: [ActionController::UrlGenerationError] No route matches {:action=>"layouts/flash_msg", :controller=>"cloud_tenant", :id=>nil}
/home/himdel/.rbenv/versions/2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.0.1/lib/action_dispatch/journey/formatter.rb:50:in `generate'
/home/himdel/.rbenv/versions/2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.0.1/lib/action_dispatch/routing/route_set.rb:629:in `generate'
/home/himdel/.rbenv/versions/2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.0.1/lib/action_dispatch/routing/route_set.rb:660:in `generate'
/home/himdel/.rbenv/versions/2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.0.1/lib/action_dispatch/routing/route_set.rb:707:in `url_for'
/home/himdel/.rbenv/versions/2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.0.1/lib/action_dispatch/routing/url_for.rb:172:in `url_for'
/home/himdel/.rbenv/versions/2.3.1/lib/ruby/gems/2.3.0/gems/actionview-5.0.0.1/lib/action_view/routing_url_for.rb:90:in `url_for'
/home/himdel/.rbenv/versions/2.3.1/lib/ruby/gems/2.3.0/bundler/gems/jquery-rjs-ded3d28d0049/lib/action_view/helpers/jquery_helper.rb:457:in `redirect_to'
/home/himdel/manageiq/app/helpers/application_helper.rb:1117:in `block in javascript_redirect'

[gildub]

@himdel,

Ok, I see what you mean, I was using the link to the item not the buttons.

As I commented in #12097 (comment)
This is really not a natural/expected behaviour.

Maybe there is some button trick I'm missing, could you please provide pointers (@dclarizio) ?

[gildub]

@himdel, @martinpovolny,

I removed the buttons from the show list. I was hoping there was some flag available to do it in order to avoid loosing the feature. But that's okay until we have the cross controller solution fully finished.

I've also replaced the button statements with a case as now that I can see a better road path with the buttons.

[himdel]

this is still a problem, isn't it? (#12101 (comment))

[himdel]

Guessing it should be security_group.cloud_tenant.try(:name)

[martinpovolny]

That seems to be the last bit preventing this from being merged.

[gildub]

Fixed, thanks.

[Ladas]

has to be .try(:name)

[gildub]

It does and I even read the reference manual! :(
Thanks

[himdel]

Name without the colon is a variable or a method call. You really need to pass a symbol to try. Please fix this.

[gildub]

@himdel, yes, done.

[himdel]

@gildub thanks, one more thing .. editing an existing security group and clicking Save..

# editing an Azure security group
undefined method `update_security_group_queue' for #<ManageIQ::Providers::Azure::NetworkManager::SecurityGroup:0x007fcded70b378> [security_group/update]

# editing an Amazon security group
undefined method `update_security_group_queue' for #<ManageIQ::Providers::Amazon::NetworkManager::SecurityGroup:0x007fcddd4062a0> [security_group/update]

# editing an OpenStack security group called "default"
Unable to update Security Group "default": Expected(200) <=> Actual(409 Conflict) excon.error.response :body => "{\"NeutronError\": {\"message\": \"Default security group already exists.\", \"type\": \"SecurityGroupDefaultAlreadyExists\", \"detail\": \"\"}}" :cookies => [ ]...

[gildub]

@himdel,

Editing a security group work now for Openstack.
Others providers should be filtered.

[tzumainn]

Associated BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1394278

[himdel]

@gildub Please add any new changes as commits, I don't want (and will stop at some point :)) to have to read the whole thing again and again..

That said, it's still broken for Azure..

I do see a

[----] E, [2016-12-08T15:59:10.334317 #5360:2acb1ba51de0] ERROR -- : MIQ(security_group_controller-update): Updating of Security Group: "ManageIQ::Providers::Azure::NetworkManager::SecurityGroup" not supported

in the evm.log (after pushing the Save button), but in the UI, the spinner keeps spinning and spinning.

Others providers should be filtered.

Not sure what you mean, I'm still seeing all the security groups in the list.

[miq-bot]

Checked commit https://github.com/gildub/manageiq/commit/978f9f3b525bd96e4aaacb4b1181aadb2c2a7b78 with ruby 2.2.5, rubocop 0.37.2, and haml-lint 0.16.1
8 files checked, 13 offenses detected

app/controllers/security_group_controller.rb

• ❗ - Line 90, Col 70 - Style/SpaceAroundOperators - Operator => should be surrounded by a single space.
• ❕ - Line 116, Col 3 - Metrics/AbcSize - Assignment Branch Condition size for delete_security_groups is too high. [39.22/20]
• ❕ - Line 116, Col 3 - Metrics/CyclomaticComplexity - Cyclomatic complexity for delete_security_groups is too high. [13/6]
• ❕ - Line 116, Col 3 - Metrics/MethodLength - Method has too many lines. [37/25]
• ❕ - Line 116, Col 3 - Metrics/PerceivedComplexity - Perceived complexity for delete_security_groups is too high. [17/7]
• ❕ - Line 18, Col 3 - Metrics/AbcSize - Assignment Branch Condition size for button is too high. [25.2/20]
• ❕ - Line 18, Col 3 - Metrics/CyclomaticComplexity - Cyclomatic complexity for button is too high. [10/6]
• ❕ - Line 18, Col 3 - Metrics/PerceivedComplexity - Perceived complexity for button is too high. [9/7]
• ❕ - Line 196, Col 3 - Metrics/AbcSize - Assignment Branch Condition size for update is too high. [27.62/20]
• ❕ - Line 225, Col 3 - Metrics/AbcSize - Assignment Branch Condition size for update_finished is too high. [29.77/20]
• ❕ - Line 63, Col 3 - Metrics/AbcSize - Assignment Branch Condition size for create is too high. [30.82/20]
• ❕ - Line 63, Col 3 - Metrics/MethodLength - Method has too many lines. [27/25]
• ❕ - Line 96, Col 3 - Metrics/AbcSize - Assignment Branch Condition size for create_finished is too high. [23.73/20]

[gildub]

@himdel,

I'm not adding any new features, but if so then I use new commits.

Regarding the issue about broken provider (such as Azure), there is nothing much I can do any more. On top of that I can't test any other providers but Openstack.

The important part resides with the support feature mixin [1] which checks if the create/update/delete feature are respectively supported.
If any other provider (including Azure) doesn't have those methods then it shouldn't be supported and should skip.

So if [1] isn't working, either something is missing (or I'm missing it) or MIQ has a structural issue. In any case could the UI team provide guidance? @dclarizio,

@Ladas what do you think? (@tzumainn)

[1] https://github.com/ManageIQ/manageiq/pull/12101/files#diff-fb5d22d19133a44dd2514b60ccf6a16cR75

[tzumainn]

@himdel @dclarizio some added context - @mansam tried to implement this sort of "disablement" for other providers for a different case in #12597. In the discussion there you'll see that no good solution was reached. So I think what we need here is some official guidance from the UI team as to the appropriate way to block providers which don't support feature X from accessing X?

[tzumainn]

@gildu there's an example of disabling a button based on feature that @sseago pointed out, and it's pretty straightforward: https://github.com/ManageIQ/manageiq/pull/12101/files

Can you add that to this and the floating IP PRs - in a separate commit, if that's the preference? Then this may be ready to go!

[tzumainn]

@gildub ^ whoops, typo

[gildub]

@tzumainn, sorry but I can't see the pointer, where is this? Thanks

[sseago]

@gildub I think this is what @tzumainn was referring to: https://github.com/ManageIQ/manageiq/blob/master/app/helpers/application_helper/toolbar/host_aggregate_center.rb#L15-L16

[gildub]

@tzumainn, @sseago, ok got it, thanks! I'm taking care of it.

[gildub]

@sseago, @tzumainn, thanks, gotcha!

And now that I'm back with all my head, I've used it and tested.

@himdel could you please confirm?

[gildub]

I closed it by mistake. Then before I realized that I forced-pushed the corresponding branch which makes it not able to be re-opened as I can't go back to previous SHA commit, moral of story this one gets replaced by a new PR: #13165. Sorry about the inconvenience.