Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Separate Role Access Restrictions for Service Templates #697

Conversation

jaywcarman
Copy link
Member

Related to:

Migration to handle the separate access restrictions for service templates. Note that the migration only affects custom roles, which can easily be filtered by :read_only = false. The 6072d2c core commit takes care of updating the read-only, built-in EvmRole-user_limited_self_service and EvmRole-user_self_service roles so that they are functionally the same before and after the separate access restrictions.

@@ -0,0 +1,32 @@
class SeparateRoleAccessRestrictionsForServiceTemplates < ActiveRecord::Migration[6.0]
class MiqUserRole < ActiveRecord::Base; end
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it make sense to have settings as a serialized column here?

So we could read / write to it and we know we are not messing up some strange yaml thing?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it make sense to have settings as a serialized column here?

Thanks for the comment @kbrock, I think serialize :settings is a big improvement.

if role.settings.include?(":vms: :user_or_group")
role.settings << " :service_templates: :user_or_group\n"
elsif role.settings.include?(":vms: :user")
role.settings << " :service_templates: :user\n"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't remember exactly what can be in settings, but I worry that this may go into the wrong place in settings.
If it is flat, then probably not a concern, but if there is any hierarchy in here, then could this will end up under another value?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With serialize :settings I could ensure the new :service_templates key is nested under :restrictions.

@jaywcarman jaywcarman force-pushed the separate_role_access_restrictions_for_service_templates branch 2 times, most recently from a7fa7f5 to 54c660a Compare July 13, 2023 20:38
def up
say_with_time("Updating MiqUserRole restictions so Service Templates match existing VMs") do
MiqUserRole.where(:read_only => false).where("settings like '%vms: :user%'").find_each do |role|
role.settings[:restrictions][:service_templates] = role.settings&.dig(:restrictions, :vms)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not holding up merge for this, but this is technically not needed, because we know settings exists (since we are accessing it earlier in the line).

Suggested change
role.settings[:restrictions][:service_templates] = role.settings&.dig(:restrictions, :vms)
role.settings[:restrictions][:service_templates] = role.settings.dig(:restrictions, :vms)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might as well clean it up! 😄


def up
say_with_time("Updating MiqUserRole restictions so Service Templates match existing VMs") do
MiqUserRole.where(:read_only => false).where("settings like '%vms: :user%'").find_each do |role|
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Super-minor

Suggested change
MiqUserRole.where(:read_only => false).where("settings like '%vms: :user%'").find_each do |role|
MiqUserRole.where(:read_only => false).where("settings LIKE '%vms: :user%'").find_each do |role|

@Fryguy Fryguy self-assigned this Jul 14, 2023
@Fryguy Fryguy added the bug label Jul 14, 2023
@jaywcarman jaywcarman force-pushed the separate_role_access_restrictions_for_service_templates branch from 54c660a to 7af3019 Compare July 14, 2023 13:32
@miq-bot
Copy link
Member

miq-bot commented Jul 14, 2023

Checked commit jaywcarman@7af3019 with ruby 2.6.10, rubocop 1.28.2, haml-lint 0.35.0, and yamllint
2 files checked, 0 offenses detected
Everything looks fine. 🍰

@Fryguy Fryguy merged commit a3179c3 into ManageIQ:master Jul 14, 2023
3 checks passed
@jaywcarman jaywcarman deleted the separate_role_access_restrictions_for_service_templates branch July 14, 2023 17:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants