Displayed all tenant by using Heat Template

[okamototk]

When I use Heat Template as Catalog Service, all OpenStack tenant which is accessed by Provider account is selected is spite of setting access control by group.

At least, following code does not limit tenants for use. Should it limit to available tenants?

https://github.com/ManageIQ/manageiq-content/blob/master/content/automate/ManageIQ/Cloud/Orchestration/Operations/Methods.class/__methods__/available_tenants.rb

[gmcculloug]

@okamototk By default automate methods run with admin access but you can enable rbac filtering by adding a call to $evm.enable_rbac in the script.

The feature was added in PR ManageIQ/manageiq#11549

For the method you reference I would recommend wrapping the fetch_list_data method with calls to enable_rbac and disable_rbac.

Something like:

def fetch_list_data
  $evm.enable_rbac
  service = @handle.root.attributes["service_template"] || @handle.root.attributes["service"]
  av_tenants = service.try(:orchestration_manager).try(:cloud_tenants)

  tenant_list = { nil => "<default>" }
  av_tenants.each { |tenant| tenant_list[tenant.name] = tenant.name } if av_tenants

  tenant_list
ensure
  $evm.disable_rbac
end

Test this out and let us know your results.

cc @mkanoor

[gmcculloug]

@okamototk The easiest way to test this is to create a new domain in the automate explorer and copy the method into the new domain. The new domain, by default, will have a higher priority when looking up methods and the copied method would be used.

If you modify the gem on disk you would need to reset the automate domain from either the UI in: Automation -> Automate -> Import / Export -> "Reset all components in the following domains: ManageIQ"

Or from the command line using rake evm:automate:reset

[okamototk]

It works fine, thanks!

I hope above template is enabled default:)

[gmcculloug]

Great to hear. Can we close this issue now?

[okamototk]

I think this feature should be enabled default. But code is still same as before.
Are there any reason to keep current implementation?

[gmcculloug]

@okamototk Sorry to have been away from this topic for a while but I have been thinking about it again recently and have two thoughts.

1. Adding a global Advanced Setting flag that would allow us to control the default for RBAC within automate methods.

2. Modifying some of the existing automate methods (specifically those designed for dynamic dialog fields) to include an "enable_rbac" property on the instance that calls the method and restructure the methods to evaluate the new instance property. This way a user could change the behavior by just overwriting the method and change the flag instead of having to update the method as described in Displayed all tenant by using Heat Template #297 (comment). Obviously this would need to happen for several methods, not just the one identified here.

Along the lines of item 2, maybe there is also a way to expose a global default in the Automate modeling and allow for individual method overrides, assuming the methods were reworked to take advantage of this.

cc @mkanoor @tinaafitz thoughts?

[miq-bot]

This issue has been automatically marked as stale because it has not been updated for at least 6 months.

If you can still reproduce this issue on the current release or on master, please reply with all of the information you have about it in order to keep the issue open.

Thank you for all your contributions!