Tenant scoping on vms #4316
Tenant scoping on vms #4316
Conversation
| @@ -248,7 +248,33 @@ def self.find_targets_with_user_group_rbac(klass, scope, rbac_filters, find_opti | |||
| end | |||
| end | |||
|
|
|||
| def self.group(user_or_group) | |||
|
The thing I need to figure out is how to say "I want to scope on a tenant and all of it's parents" determining the tenant_id and all the parent_ids is easy. |
|
I think we need use cases or existing ones translated to specific examples. I have a hard time understanding one off examples without more context. |
|
In automate, I want to fetch all namespaces for a tenant. The rule around tenants is: all namespaces that the tenant and parents can see. |
| tenant_id = group(user_or_group).try(:tenant_id) | ||
| return find_options unless tenant_id | ||
|
|
||
| tenant_id_clause = ["#{klass.table_name}.tenant_id = ? OR #{klass.table_name}.tenant_id IS NULL", tenant_id] |
There was a problem hiding this comment.
tenant_id_clause = {klass.table_name => {:tenant_id => tenant_id}}If we need the nil then:
tenant_id_clause = {klass.table_name => {:tenant_id => [tenant_id, nil]}}There was a problem hiding this comment.
Great, yeah, see my diagram above, not sure about NULL, I added it to spark conversation.
There was a problem hiding this comment.
no objects will have a nil tenant
jrafanie
force-pushed
the
tenant_scoping
branch
from
5c51888
to
b704afe
Compare
Returns vms without a tenant and ones in my tenant. If there is no tenant, no filtering by tenant is done. It feels wrong to not use Relations via .where here but we might need a named scope to filter the remaining conditions that don't use .where. https://trello.com/c/1uf5urJz/
Remove now useless case statement method. https://trello.com/c/1uf5urJz/
jrafanie
force-pushed
the
tenant_scoping
branch
from
b704afe
to
cc94dde
Compare
| @other_user.save | ||
| results, = Rbac.search(:class => "Vm", :results_format => :objects) | ||
| expect(results).to eq [@owner_vm] | ||
| end |
There was a problem hiding this comment.
for with_user - we want to possibly change a user's group and make sure it picks the right one
@kbrock Thanks, I added test cases for a user leaving/joining a tenant via changing groups. Is this what you meant?
|
Checked commits jrafanie/manageiq@acccd96~...73b176c with ruby 1.9.3, rubocop 0.33.0, and haml-lint 0.13.0 app/models/rbac.rb
|
| def self.find_targets_with_rbac(klass, scope, rbac_filters, find_options = {}, user_or_group = nil) | ||
| # TODO: check if these find_options should be duplicated/modified in place |
There was a problem hiding this comment.
@jrafanie I think it's fine to modify find_options in place. They are built up by the caller (Rbac.search) for the sole purpose of using them in find_targets_with_rbac.
There was a problem hiding this comment.
in the past we have been avoiding this.
since we tend to call this with a merge, that allows us to avoid actually manipulating.
but it is probably no harm
|
👍 |
scope_by_tenant?for VmOrTemplaterespond_to?(:scope_by_tenant?)Returns vms without a tenant and ones in my tenant.
If there is no tenant, no filtering by tenant is done.
https://trello.com/c/1uf5urJz/
@gtanzillo @Fryguy @kbrock Please review, throw 🍅