[GAPRINDASHVILI] Allow tenant admins to see all groups within the scope of their tenant #17817
Conversation
|
|
||
| it 'can see all roles except for EvmRole-super_administrator' do | ||
| expect(MiqUserRole.count).to eq(4) | ||
| get_rbac_results_for_and_expect_objects(MiqUserRole, [tenant_administrator_user_role, user_role]) |
There was a problem hiding this comment.
@jrafanie @kbrock Notice that there is a difference from the same test on master here (https://github.com/ManageIQ/manageiq/pull/17768/files?utf8=%E2%9C%93&diff=unified#diff-5a9a344d1cbb6a063ed0fb111938778bR1022) On master the tenant admin is able to see the administrator role. In Gaprindashvili he can't. I think it should be consistent but I'm not sure whether it should be changed here or on master.
There was a problem hiding this comment.
@kbrock what do you think of this? Also, is it ok to do this PR for gaprindashvili or do we need to bring back the dependent PRs?
There was a problem hiding this comment.
the PR in question changed admin_user? from a string compare to a role compare.
I think keeping the string compare in Gaprindashvili is good.
G's admin is kinda broken. the use case that was introduced was not fully thought through. The admin doesn't fully have more privs that the tenant admin - so I'm not sure if it matters
gtanzillo
force-pushed
the
tenant-admin-groups-59
branch
from
8911892
to
c1c047a
Compare
|
|
||
| it 'can see all roles except for EvmRole-super_administrator' do | ||
| expect(MiqUserRole.count).to eq(4) | ||
| get_rbac_results_for_and_expect_objects(MiqUserRole, [tenant_administrator_user_role, user_role]) |
There was a problem hiding this comment.
the PR in question changed admin_user? from a string compare to a role compare.
I think keeping the string compare in Gaprindashvili is good.
G's admin is kinda broken. the use case that was introduced was not fully thought through. The admin doesn't fully have more privs that the tenant admin - so I'm not sure if it matters
Manual back port of ManageIQ#17768 to gaprindashvili This had to be done because of the change in master to rely on product features instead of role name to determine whether a user is an admin, tenant admin or super admin Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1613387
gtanzillo
force-pushed
the
tenant-admin-groups-59
branch
from
c1c047a
to
87cafbd
Compare
|
Checked commit gtanzillo@87cafbd with ruby 2.3.3, rubocop 0.52.1, haml-lint 0.20.0, and yamllint 1.10.0 |
|
@gtanzillo Is it ok to backport this to Fine branch, or a separate PR will be needed there? |
Yes, this should backport cleanly to the fine branch |
[GAPRINDASHVILI] Allow tenant admins to see all groups within the scope of their tenant (cherry picked from commit 80878c7) Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1613388
|
Fine backport details: |
[GAPRINDASHVILI] Allow tenant admins to see all groups within the scope of their tenant (cherry picked from commit 80878c7) Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1613388
Manual back port of #17768 to gaprindashvili
This had to be done because of the change in master to rely on product features instead of role name
to determine whether a user is an admin, tenant admin or super admin
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1613387
/cc @jrafanie @kbrock