Add MiqTask#deliver and execute #1249
Conversation
|
update:
rubocop:
|
config/api.yml
Outdated
| - :name: deliver | ||
| :identifier: miq_request_control | ||
| - :name: execute | ||
| :identifier: miq_request_control |
There was a problem hiding this comment.
I'm not sure here - This would give users with the ability to cancel the requests to also execute and deliver, which is really a system level task - I wonder if this should be super admin only or something 🤔
There was a problem hiding this comment.
@Fryguy did you just say service_admin or miq_request_edit, ae_miq_request_edit?
only super admin I know is everything
There was a problem hiding this comment.
I said that I don't think regular users should be able to access this endpoint. If there is such a thing as service_admin, perhaps? We run automate/workflows as super admin which is why I said super admin.
There was a problem hiding this comment.
this will be using the authentication record that workflow/floe is passing. (api_user)
@agrare Do you typically pass superadmin to floe?
Do you feel that is what customers should do?
There was a problem hiding this comment.
I had imagined that the user ordering the service would be the one posting to the API, an admin would create the workflows and map what credentials would be used but at order time it would be the unprivileged user account
There was a problem hiding this comment.
Most of these tasks will talk to the API and want to act as the requesting user.
This endpoint is basically saying "All the workflows have been run. All the variables have been figured out. Let's talk with vmware and make the actual request happen." This is viable coming from an admin role.
The current vmware specific workflow has:
- vmware admin auth
- miq requestor user auth
So it would make sense to have:
- miq admin auth (to make provider privileged requests)
- miq requestor user auth (to do stuff as user privileges)
Just not sure the best way to pass the admin auth
There was a problem hiding this comment.
I'm lost now about who and when - let's discuss over voice and maybe draw it out.
kbrock
changed the title
|
WIP: testing ensuring it was approved |
| @@ -3233,6 +3233,8 @@ | |||
| :post: | |||
| - :name: cancel | |||
| :identifier: miq_request_control | |||
| - :name: execute | |||
| :identifier: miq_request_control | |||
There was a problem hiding this comment.
Continung from #1249 (comment)
I still don't like this permission here...something feels off about it. I admit that miq_request_control is used for cancel, but being able to cancel your own request is very different from executing it.
There was a problem hiding this comment.
added 'you can only execute this if it has been approved' feels like it lessens the request.
kbrock
changed the title
|
Checked commit kbrock@fe6fd8e with ruby 2.7.8, rubocop 1.56.3, haml-lint 0.51.0, and yamllint |
|
we are using a builtin instead |
Provisioning RequestTasks: