Automate: Add to Group's "Assigned Filters"


#1

In an automate method that is creating an OSP project/tenant we are:

  1. creating a tag of the “tenant_name” in the “prov_scope” category.
  2. tagging the user (requester) with the above tag.
  3. tagging the tenant with the above tag.

I believe we need to enable the above tag in the user’s group “Assigned Filters” so the members of the group with the above tag will have access to the tenant. The following does not produce any errors and does not do what I hoped. I figure this is a local copy of the object and I cannot directly manipulate the group access controls from an automation script?

cfme_user = $evm.root['user']
cfme_user.current_group.filters['managed'].push([["/prov_scope/user01_ind"]])

From the “CloudForms & ManageIQ Automation How-To Guide” I found an example for reading the tags assigned to the group which I used to guess my way to the above fragment. How can I adjust the group filter?

def    get_current_group_rbac_array(user,    rbac_array=[])
        unless    user.current_group.filters.blank?
                user.current_group.filters['managed'].flatten.each    do    |filter|
                        next    unless    /(?<category>\w*)\/(?<tag>\w*)$/i    =~    filter
                        rbac_array    <<    {category=>tag}
                end
        end
        rbac_array
end

Thank you.


#2

@gmccullough can you review this question from @andrew and forward to a SME if necessary.


Any way to automate creating groups?
#3

Hi @andrew,

The automate layer does not expose the ability to modify group filters, but this feature is available through the REST API.

@abellotti Can you provide some details on how this could be done from REST?


#4

Group CRUD is available via REST API on master. The documentation hasn’t been updated yet, but we do support the creation and update of groups including the filters. The following examples show a Create and an Update with filters:

POST /api/groups
{
  "description" : "sample_group",
  "role" : { "id" :  2 },
  "tenant" : { "href" : "/api/tenants/1" },
  "filters" : {
     "belongsto" : [ "/managed/area/1", "/managed/area/2" ],
     "managed" : [[ "/managed/infra/1", "/managed/infra/2" ]]
  }
}

Example updating filters for above group:

POST /api/groups/20
{
  "action" : "edit",
  "resource" : {
    "filters" : {
      "belongsto" : [ "/managed/area/1", "/managed/area/2", "/managed/area/3" ],
      "managed" : [[ "/managed/infra/1", "/managed/infra/2"], ["/managed/other/3"]]
    }
  }
}

Hope this helps.


#5

Hi @abellotti,

Thanks very much for your example POSTs using the groups API. My planned implementation is to use the groups API to programmatically create a group from a ManageIQ service catalogue item (as this functionality isn’t exposed through automate). The workflow for this will be:

  • User logs into ManageIQ for the first time
  • User orders a service catalogue item which creates a “provisioning scope” tag (using $evm.execute(‘tag_create’)) associated to their individual cloud tenant (on the provider), and a group with this tag set as the “provisioning scope” access filter (using the groups API).

A quick question - the tenant ID you’re passing to the groups API looks like an ActiveRecord ID. My implementation would need me to find the ManageIQ tenant the user is associated with, and pass this to the API. However, I’m only aware of how to get the internal ManageIQ ID for a tenant (eg; 1000000000012); do you know any way to convert this to an ActiveRecord ID? Or am I confusing this, and they’re equivalent?

Greatly appreciate your help.

Shane


#6

I think the confusion here is that if your ManageIQ region is non-zero, your object IDs show the region number, followed by several zeros, followed by the object ID. If your region is zero, the (now zero-padded) object IDs are truncated, leaving just a non-zero integer.

I suspect in this example the region ID is zero, so the ID is 12 rather than 1000000000012

Hope this helps,
pemcg


#7

Thanks very much @pemcg, greatly appreciate the clarification!

Shane