ManageIQ / manageiq

ManageIQ Open-Source Management Platform
https://manageiq.org
Apache License 2.0
1.35k stars 898 forks source link

Setting ownership of a Service seems to require too many product features #22985

Open jrafanie opened 6 months ago

jrafanie commented 6 months ago

Discussed in https://github.com/orgs/ManageIQ/discussions/22965

Originally posted by **uejo** March 28, 2024 Hello, I have a use case where a user wants to move his service to another group in the same tenant. The only way I managed to accomplish this seems to require unnecessary Product Features. Steps I have taken so far: - create a new tenant under "My Company" - create a copy of the EvmRole-user_self_service role and add the following Features as seen in the picture below: I also had to set the Access Restriction to "None" in the service role, otherwise I am also not able to see other groups. The Set Ownership seems necessary to even have the Button available (at least in the new UI, in the self service UI the button option is always available. The Groups View is necessary otherwise you get API error permission denied on the /api/groups endpoint ![image](https://github.com/ManageIQ/manageiq/assets/11505478/dacc5e87-98b4-4dba-937f-0b449ec709bb) - create 2 groups, assign both the newly created tenant and the role above. - create a service as user1 (I added a Generic Service in the default Catalog) Now I can select the 2nd group ![image](https://github.com/ManageIQ/manageiq/assets/11505478/95ab9519-c5ef-47a9-bc97-3443a7446b4a) But I have permissions to create and delete Tenants, of course I don't want that. ![image](https://github.com/ManageIQ/manageiq/assets/11505478/b7b5583b-cc15-499d-b94d-3c6ccc62b8fe) But as soon as I remove the Tenant permissions product feature, and it doesn't matter if you remove Modify or Operate, removing one of those is enough, I can not see any other groups anymore: ![image](https://github.com/ManageIQ/manageiq/assets/11505478/bd71350c-01b4-4f0f-bfa1-25fe6f15735b) So how can I accomplish what I'm trying to do? I am using the self_service UI which has the Button "Set ownership" but as for now it seems I cant really use that feature. ![image](https://github.com/ManageIQ/manageiq/assets/11505478/49a14b39-3600-4684-9099-33bd4c857350)
jrafanie commented 6 months ago

From: https://github.com/orgs/ManageIQ/discussions/22965#discussioncomment-9051032

So, I tracked it down to this code:

https://github.com/ManageIQ/manageiq/blob/dfbf8e7f3a370d0b5ff4bb002a4de49e4dda46bb/lib/rbac/filterer.rb#L679

We're only showing users and groups outside your own group if you're considered a tenant admin or super admin which is also a tenant admin.

This is why it works when you give your user all permissions under Access control -> Tenants.

I'm not sure how to enable the ability to set ownership outside of your group for a user with less permission.

miq-bot commented 3 months ago

This issue has been automatically marked as stale because it has not been updated for at least 3 months.

If you can still reproduce this issue on the current release or on master, please reply with all of the information you have about it in order to keep the issue open.