Determining visibility rules for tenants

ewannema · September 22, 2016, 8:31pm

I have not been able to find documentation on how tenancy affects object visibility and access control so I have started exploring on CFME 5.6.1 and here are my observed findings. Please let me know if have a better source for how this works or corrections for anything below.

VMs

Higher level tenants can see the VMs of lower level tenants.
Tenants can set ownership for themselves or lower level tenants.
Visibility is not restricted by group ownership within a tenant. All groups within a tenant can see all other groups VMs.

Templates

Members of the root tenant can see and manage the templates of all sub tenants.
Lower level tenants can see the templates of higher level tenants.
Tenants can edit and take ownership of parent tenant templates. I assume this is a bug and I will open a support case to check.
Tenants can set ownership for themselves or lower level tenants.
Visibility is not restricted by group ownership within a tenant. All groups within a tenant can see all other groups templates.

Catalog Items

Lower level tenants can see the catalogs/items of higher level tenants.
Lower level tenants can manage the catalogs/items of higher level tenants (BZ 1375713).
Members of the root tenant can see and manage the catalogs/items of all sub tenants.

Automate Domains

Domains are inherited from parent tenants ordered in tenant order (highest to lowest), in the order they are specified by that tenant.
You must be logged in as a tenant to see their domains.
Domains not owned by a tenant can not be reordered.
Domains not owned by a tenant can not be locked, (dis | en)abled, or renamed.
System domains (ManageIQ, RedHat) can not be managed or re-ordered by anyone.

pemcg · September 23, 2016, 1:22pm

This is interesting, I’m currently researching tenancy from an automate point of view for an update to the automate book. You mention “Visibility is not restricted by group ownership within a tenant”, but I think that only applies if the role VM & Template Access Restriction is set to ‘None’. If I set the access restriction to 'Only User or Group Owned" then it works as expected.

I believe the visibility rules are supposed to be something like the following:

Visible to our tenant only:

miq_requests
miq_request_tasks

If defined in a parent tenant, they are visible to our tenant:

ext_management_systems (i.e. Providers)
Automate domains
Service Catalogs
Service Catalog Items
Templates or Images

If defined in a child tenant, they are visible to our tenant:
Services
VMs & Instances

If defined in a child tenant, they are not visible to our tenant:
Automate domains

Regards,
pemcg

pemcg · September 29, 2016, 10:45am

I should also add that ‘our tenant’ (taking the case of an arbitrary child tenant) should only be able to see itself and any child tenants of its own (fairly obviously). At the moment automate isn’t fully RBAC-aware though, and so if we want to filter all visible VMs, say to present in a dynamic drop-down dialog to our user, we have to calculate which tenants our user/tenant should be able to see, and filter accordingly ($evm.vmdb(:vm) would return all tenant’s VMs for example). We can use the tenancy object’s ancestry attribute and write something like the following:

def tenant_child_ids(tenant)
  child_ids = []
  child_ids << tenant.id.to_s  # include this tenant's ID
  $evm.vmdb(:tenant).all.each do |t|
    unless t.ancestry.blank?
      if t.ancestry.split('/').include?(tenant.id.to_s)
        child_ids << t.id.to_s
      end
    end
  end
  child_ids
end

We can then use the vm.tenant_id attribute to match which VMs to include in our drop-down list.

Tenant RBAC-enablement for automate is in the works, and we should get three new $evm methods soon: enable_rbac, disable_rbac and rbac_enabled?

pemcg

ewannema · September 24, 2016, 6:51pm

@pemcg Thanks for the feedback.

If possible, I am trying to ignore the user or group ownership restriction. With it in place, I do not believe that I can have a Tenant with User and Admin roles (mapped via groups) that see the same set of VMs. Although, I have not tried this scenario with the Tenant pseudo group as the owner so I guess I will need to test that.

ewannema · September 26, 2016, 6:18pm

Here is something I put together to list templates for a tenant and ancestors. It doesn’t take visibility filters like tags or user/group restriction into account.

# Usage
templates = tenant_and_ancestor_infra_templates(tenant)

# Helper methods
def tenant_infra_templates(tenant_id)
  $evm.vmdb(:template_infra).where(tenant_id: tenant_id)
end

# This is actually defined on the base tenant model, but we do string parsing because
# it isn't in the service model.
def tenant_ancestor_ids(tenant)
  return [] if tenant.ancestry.blank?
  tenant.ancestry.split('/')
end

def ancestor_infra_templates(tenant)
  tenant_ancestor_ids(tenant).map { |t| tenant_infra_templates(t) }.flatten
end

def tenant_and_ancestor_infra_templates(tenant)
  tenant_infra_templates(tenant.id) + ancestor_infra_templates(tenant)
end

pemcg · September 28, 2016, 10:37am

These are useful, would you mind if I add your examples to the automate book?

Thanks,
pemcg

ewannema · September 28, 2016, 1:18pm

No problem. The snippets are small. Feel free to use them in any way you want.

pemcg · September 29, 2016, 10:46am

Thanks