-
Notifications
You must be signed in to change notification settings - Fork 897
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tenant scoping on vms #4316
Tenant scoping on vms #4316
Conversation
@@ -248,7 +248,33 @@ def self.find_targets_with_user_group_rbac(klass, scope, rbac_filters, find_opti | |||
end | |||
end | |||
|
|||
def self.group(user_or_group) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
HATE 😱
The thing I need to figure out is how to say "I want to scope on a tenant and all of it's parents" determining the tenant_id and all the parent_ids is easy. |
I think we need use cases or existing ones translated to specific examples. I have a hard time understanding one off examples without more context. |
In automate, I want to fetch all namespaces for a tenant. The rule around tenants is: all namespaces that the tenant and parents can see. |
tenant_id = group(user_or_group).try(:tenant_id) | ||
return find_options unless tenant_id | ||
|
||
tenant_id_clause = ["#{klass.table_name}.tenant_id = ? OR #{klass.table_name}.tenant_id IS NULL", tenant_id] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tenant_id_clause = {klass.table_name => {:tenant_id => tenant_id}}
If we need the nil then:
tenant_id_clause = {klass.table_name => {:tenant_id => [tenant_id, nil]}}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great, yeah, see my diagram above, not sure about NULL, I added it to spark conversation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no objects will have a nil tenant
5c51888
to
b704afe
Compare
Returns vms without a tenant and ones in my tenant. If there is no tenant, no filtering by tenant is done. It feels wrong to not use Relations via .where here but we might need a named scope to filter the remaining conditions that don't use .where. https://trello.com/c/1uf5urJz/
Remove now useless case statement method. https://trello.com/c/1uf5urJz/
b704afe
to
cc94dde
Compare
@other_user.save | ||
results, = Rbac.search(:class => "Vm", :results_format => :objects) | ||
expect(results).to eq [@owner_vm] | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for with_user - we want to possibly change a user's group and make sure it picks the right one
@kbrock Thanks, I added test cases for a user leaving/joining a tenant via changing groups. Is this what you meant?
Checked commits jrafanie/manageiq@acccd96~...73b176c with ruby 1.9.3, rubocop 0.33.0, and haml-lint 0.13.0 app/models/rbac.rb
|
def self.find_targets_with_rbac(klass, scope, rbac_filters, find_options = {}, user_or_group = nil) | ||
# TODO: check if these find_options should be duplicated/modified in place |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jrafanie I think it's fine to modify find_options in place. They are built up by the caller (Rbac.search) for the sole purpose of using them in find_targets_with_rbac.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in the past we have been avoiding this.
since we tend to call this with a merge, that allows us to avoid actually manipulating.
but it is probably no harm
👍 |
scope_by_tenant?
for VmOrTemplaterespond_to?(:scope_by_tenant?)
Returns vms without a tenant and ones in my tenant.
If there is no tenant, no filtering by tenant is done.
https://trello.com/c/1uf5urJz/
@gtanzillo @Fryguy @kbrock Please review, throw 🍅