Horizon RBAC - (need to) Hide tab if no permissions available

Bug #1395434 reported by Roey Dekel
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Invalid
Undecided
Unassigned

Bug Description

Assume I (as sys admin) want to hide LBAAS services from tenant owners, therefore I changed every LBAAS feature (such as create pool, update vip, delete member etc.) in neutron_policy.json to rule:admin_only.

Current result : LBAAS tab is accessiable (for tenant's owners) with no content nor permissions for creating/updating/deleting

Expected result (in my opinion): hide LBAAS tab

Comment:
LBAAS is just an example, I think that every feature's tab without permissions should be hidden, unless it has important data to present.

Tags: rbac horizon
Roey Dekel (rdekel)
affects: barbican → horizon
Changed in horizon:
status: New → Confirmed
importance: Undecided → Medium
Timur Sufiev (tsufiev-x)
Changed in horizon:
assignee: nobody → Timur Sufiev (tsufiev-x)
Revision history for this message
Timur Sufiev (tsufiev-x) wrote :

Roey, this change may be not as trivial as it seemed at first glance. Many tabs in openstack_dashboard has `preload = False` which means that at the time their headings are drawn in the multi-tabbed table it is not known whether they have any data inside. It will be known only once the user clicks on some tab's title - which leads to the data being loaded. It will be possible to determine the tabs contents only if we set `preload = True` for all of them, which will increase page loading time.

Or perhaps I had misunderstood you and you meant something else by 'important data'?

Revision history for this message
Roey Dekel (rdekel) wrote :

Timur, you understood my intentions correctly.

Maybe for tabs with no preload the suitable solution will be a text with: "no data available" (after clicking on the tab's title).

Revision history for this message
Timur Sufiev (tsufiev-x) wrote :

Roey, the difficulty I'm speaking of is somewhat different. Imagine that the `MemberDetailsTab` which is the second tab on the LoadBalancers page has `preload=False` (by default it is `True`) and according to the current user's permissions, no actions could be taken. When we're displaying the whole page to know whether to render 'Members' tab we need to get its data which contradicts the meaning of `preload=False` if this tab was initially closed when we switched to LoadBalancers page. In other words, one last chance for the 'Members' tab to be rendered is to have some data since it doesn't allow any action - thus we had to ignore `preload=False` attribute to decide whether render it or not. I'd rather abandon the whole idea than break current lazy-loading functionality.

Revision history for this message
Roey Dekel (rdekel) wrote :

Timur, I understand the problem of lazy rendering, you can't know that a tab is without data until you ask for it's data. That's the reason I suggested to simply put "no data availabe" but it's not a solution to the original problem.
What's your opinion about adding RBAC rule to a whole tab? Assuming the RBAC rules are accessible when you render the horizon pages. Maybe that will be an easier way to admin to simply "remove permissions" to a whole tab.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/144163

Changed in horizon:
status: Confirmed → In Progress
Revision history for this message
Timur Sufiev (tsufiev-x) wrote :

Roey, I've uploaded a patch that is partial solution to the situation you described. Yet I don't like how it works - if no actions are permitted at some Tab for a given user, he won't see this tab at all, though there may be some useful data to look at inside this tab. Any ideas on how to improve the patch?

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on horizon (master)

Change abandoned by David Lyle (<email address hidden>) on branch: master
Review: https://review.openstack.org/144163
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Revision history for this message
Akihiro Motoki (amotoki) wrote :

The situation has changed a lot since the bug was reported. horizon now provides the pluggable panel mechanism and operators can disable a specific panel if they want. This is no longer a bug.

Changed in horizon:
assignee: Timur Sufiev (tsufiev-x) → nobody
status: In Progress → Invalid
importance: Medium → Undecided
Revision history for this message
Akihiro Motoki (amotoki) wrote :

The bug title says "Hide tab if no permissions available", but what the bug reporter wanted to do was to hide a specific panel. Considering this, the goal can be achieved in a simpler way now, so I don't think we need this bug now.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.