Conductor UI - some ideas for a better conductor
by Andrew Fitzsimon
Hi all,
I've spent quite some time thinking about global UI improvements we can make to conductor for a future release.
Now it's time for me to share a small summary of those ideas and hopefully get some feedback.
I'll be updating http://ndftz.com/playground/ with much the stuff mentioned below but as of right now it is not a representation of the functionality described; so if you have seen it before, please disregard everything aside from the responsiveness and the vector icons aspects. I'll now switch gears to get the mock interface up to speed with all the client side features described.
(attached is a formatted copy in-case you don't like reading markdown)
.. so here we go..
======================
#Goals for a better UI
> This is a plan to evolve the conductor UI into a lean, adaptive, beautiful and considered experience.
### Specifically, we hope to address:
* Navigating and issuing tasks quickly
* Without unnecessary http-roundtrips just to check on a view.
* Without having to learn new components in every view
* Without having to refer to documentation to be assisted in core tasks.
* Keeping the ‘big 6’ consistent:
* Consistent aesthetic
* Consistent behaviour
* Consistent notification
* Consistent messaging
* Consistent help
* Consistent referencing
* Address as many media types as we can get *for free*
* __Mobile__ - 480px and up via minor accommodations in our UI
* __Workstation__ 640px-1280px - our default view
* __Section 508__ compliance including screen readers
* __Printable__ - As a read-only inventory manifest of a users entire access.
* Feel like a 2012 client app
* Cutting edge UI conventions
* Swiss style visual metaphors & elements of typographic style
* Baseline grid aligned typography consisting of 2 weights with single leading.
* Use only vector graphics
* Blazingly fast client side render times
# Glossary of terms / explanation of features.
## Views
One distinct category of content.
### explained
“the users view” or “the providers view”.
A views name can even be as specific as “userXX-provider-permissions view” or “admin-provider-permissions-userXX view”
For more information on how we implement views, see 'View anchors' below
******
## Classes
Think HTML/CSS/JS classes
Classes track status or content type but not display.
<a href="#provider23" class="provider23 enabling ec2" >online</a>`
<div id="provider23" class="provider23 enabling ec2">Ec2…</div>
### Classing convention
#### Reserved classes
.active
is reserved for navigating views
.enabling .disabling .verifying .deleting .requesting
are action classes reserved for client side action confirmation
.enabled .disabled .verified .complete .building
are action classes reserved for server events
.warning .note .info .tip .caution
are reserved for assistive content
.static-reference .assist-reference
reserved for anchored clones of content via static and assistive referencing (see section)
.progress .loading .building .compiling .altering
are progress classed to be used in conjunction with a numerical class
.50 .10 .20 .25 .75 .100 .30 etc…
are percentage classes to be used in conjunction with a value
e.g.: `<span class="75 usage">75% of 300gb </...`
or better: `<span class="75 usage">225gb of 300gb </...`
.usage .progress .load .capacity
are **status** classes reserved for identifying the **type** of measurement
.instance .provider .user .pool .group
are object classes to be used on any object
### Lack of classes for layout
We will __NOT__ use classes for defining grid layout e.g. `.span-12` or `.left-120/`
All layouts will be defined in CSS via a combination of their parent view and the relevant media query.
for example we will use the CSS
#admin #providers .account .summary{width:33.333%}
rather than relying on injecting style logic into the html like this `<class="summary span-4">`
******
## Graceful degradation
Support for all core functionality in as many scenarios as possible
* New browser features (subtle animation, gradients etc)
* Older browsers lacking features
* Browsers with javascript turned off
* Screen readers (section 508, we’re going there)
******
## Responsive design
Support for viewing from various media eg cellphones, touchscreen devices, kiosks, tv’s, even print.
### Explained
1. We collapse tables into record views for narrow screens.
2. We Grow fonts and icons for tremendously high resolutions or touchable large screens.
3. We use only vector graphics (css /webfonts) for adaptive scaling and themeing.
Anchor referencing with js inlining means repeated content is printed only once. a print version would read like an infrastructure status report from the users perspective.
******
## Visual Metaphors & Vector Graphics
Visual metaphors are graphics symbolic of the function they perform.
Vector graphics are a resolution independent implementation.
### Explained
All icons, visual indicators and ornamental graphics are implemented like this:
* Vector glyphs are encoded into a woff webfont
* The woff font is base64 encoded in the stylesheet to minimise http requests (the current set of 30 icons is ~5k) so this is very acceptable.
* We fallback to url linked images supplies for legacy browsers (no .WOFF support) by using [modernizr](http://www.modernizr.com/) classes `.no-webfonts` and `.webfonts` to discriminate our implementation through css
******
## View anchors - or 'single page app'
View anchors are portions of our design implemented within the one DOM using basic anchoring functionality.
### Explained
In the proposed change, the entire conductor is one page for all default views,
1. Link anchors will activate the specific view or sub-view.
2. Anchors that do not resolve will initiate a "cannot find" message which will most commonly occur when a user does not have access to an object and has manually entered a custom # URL. the two exceptions to this will be ~/# and ~/#top which will initiate the default app view.
### In action
For example:
> The URL below should open the admin > providers > ec2eastcoast > connectivity view.
https://conductor/#ec2eastcoast-connectivity
^ ^ ^
Server ObjectID ChildView
#### What the html does
e.g. the `<div>` representing admin > providers > ec2eastcoast would look like
<div id="ec2eastcoast">.. ec2 east coast information goes here
and the connectivity tab which exists inside the ec2eastcoast provider would look like
<div id="ec2eastcoast-connectivity">
^ ^
objectID ChildViewname
Why?
Because the provider _ec2eastcoast_ lives natively within the _admin > provider_ section, it does not need to be referenced in the ID.. it simply has to be unique. But because the connectivity tab is only unique because of the provider it is associated with, it needs to be prefixed with the objectID
All direct links to the provider view would look like `<a href=#ec2eastcoast>EC2 East Coast</a> which would activate the provider tab.
#### what JS does
1. JS hides all non active views except for the default view (classed as active by the js)
2.
3. when an ID is requested the object and all parent views get classed `.active`
4. [hashchange for old browsers](http://benalman.com/projects/jquery-hashchange-plugin/) to preserve browsing history
#### what the CSS does
The body class `.nojs` is removed once Javascript is loaded so the CSS specifies that only views be visible when they are classed as `.active`
.js div{display:none} // Hiding all views
.js div.active{display:block} // Showing active views
.nojs div{display:block} // All views are shown when tabs don't work.
******
## Referenced content
> Referenced content is a live-copy of any existing part of the application. It can be implemented with static references or assistive references
> See [this JS Fiddle demo](http://jsfiddle.net/andyfitz/hRqGa/191/)
#### example
1. Global help content can be referenced from many places at once so as to avoid redundancy and annoying ajax requests.. if the section the help comes from is loaded, so is the help.
2. Inspecting an object via a link can call the objects entire content into view.
******
### Static-references
Where an anchor link to another section has been replaced with a live copy of the section it links to.
.static-reference
> An example would be any monitoring view that requires various metrics already rendered elsewhere be included.
******
### Assist-references
like a static reference but with the link-text preserved and the section only visible when the link-text has focus (has been clicked).
.assist-reference
> An example would be a permissions editor referencing the objects that a user has permissions to by name and allowing the user to inspect that object in-place with a single click, without having to visit the object in questions default view.
******
## Help & content
Written content to help describe a feature or scenario.
Combined with admonition classes
.warning .note .info .tip .caution
Often implemented via one of the following methods
* Included in the view relevant to its description
* As static-references where the help content can be dismissed (via an X in the top right corner)
* As assist-references where the help content can be revealed upon clicking a referring link
Practically speaking this is text that can be placed inline with a view that it represents or hidden in a non displayed useful content area to be static or assist-referenced by many places.
### Explained
For example: _“don’t be silly“_ is a generic tip that may apply to an enormous variety of contexts. This is useful to be placed in the "generic tips" area and linked to via `<a href=”#dont be-silly” class=”assist-reference”>now please remember..</a>` which means it wil be rendered inline of where it is referenced.
******
##Client-side status polling
All objects relevant to a view are classed with the viewname
On any action inside the view, a status classname is added to the view as well as any objects that reference it regardless of where they are displayed
<a href=#user class=”userXX enabling”>link</a>
<div id=#”userXX” class=”userXX enabling” >UserXX View</div>.
We watch the referenced views classes and mimic them on all referencing links always as they can contain or be updated with new event styles (for example: failed, warning, upgraded, admin-only etc)
******
## Server status events *investigating*
Right now we can use ajax calls to update each view but in future it would make sense to use eventSource for more advanced monitoring: [eventSource: server sent events](http://html5doctor.com/server-sent-events/)
******
## Client verification / fast feedback
Interactive assurance that an action has been requested without the verification that the server has performed the action.
For example a user clicks the enable button.. we immediately apply “enabling” status to the button but wait for the server to return with the “enabled” confirmation...
### How it works
> **Assumption** intermittent states like verifying, enabling and disabling states are safe for client side validation.
> They confirm an action has been requested but not applied.
As a rule, all elements are given the status of the objects they represent as well as classed with the object ID.. e.g.: all buttons with `class="providerid12451-*"` get the additional class of their intermittent state ``"enabling/disabling/verifying/whatever"`` When a functional object related to them has been actioned.
1. On the client javascript side, we set the actioning classname to all elements with the same object objectid class.
2. Once the action has been done an ajax call confirm the change and refreshes the class to "enabled/disabled/done/whatever" and removes the intermediary state
******
## Important action certification
[JS Fiddle demo](http://jsfiddle.net/andyfitz/mvdST/)
Requiring the user to certify that they understand the action before allowing it to take place.
for example:
> “Do you understand what you are doing?[yes] okay, here’s the button [click]”
###explained
> Enabling and disabling providers, deleting users etc
We will use three methods to verify that a user has accepted the severity of the task they are about to perform:
1. CSS physical obfuscation.
Where the confirmation toggle sits physically on top of the action toggle so that an action can not be clicked without clicking the confirmation toggle first. this helps simplify the component to one physical space part of the same consideration set.
2. javascript validation.
The action button beneath is disabled until the confirmation toggle has been clicked
3. final server verification.
the submitted action is not accepted by the system unless the post contains both the verification enabled and the action. the server then pushes the update
******
##Global status and system notification stack.
Important information about the entire system or a current process, displayed prominently.
###explained
Using the referenced content heavily, we throw system, warning and notification content to the top of the page in a collapsing, growl-style notification system”
<div id="notifications">
<h1>System Messages</h1>
<p class=”system”>you should to install aeolus-all to properly use conductor</p>
<p class=”status provider123 build”>
<a
href=”provider123-build-status”
class=”reflink 50”>
building provider123 <span>50% Complete</span>
</a>
</p>
</div>
******
## Printable manifest
Because our content is not replicated, and all enabled views are included in the DOM;
our app can actually print as if it were a manifest for the authenticated user.
We get this feature for free by proxy of our method for referencing views and content.
Having the ability to produce a hard copy infrastructure report may be a gimmick, but it's an easy way to show how conductor can help respond an IT audit situation.
### example print stylesheet changes
@media print {
a:after {
content: " ("attr(href)") ";}
div:before{
content: " ("attr(id)") ";}}
}
This will preserve all references and links throughout the UI.
Also, we can manually define sections to be printed.
@media print {
div{display:none}
#providers, #instances, #users, #global-tips {display:block !important}
}
Which means only sections we desire to be included in the manifest get printed
also
@media print {
.tabs:before{
page-break-before: always;
content:"This section contains the following:";
.tabs li a:after{content:""}
.tabs { font-size: 2em;page-break-after: always;}
.tabs li{display:list}
}
Which will convert our tabs into whole page section summaries.
> remember, this feature is free because we are designing conductor to gracefully degrade. Very little effort goes into preserving this feature so long as our standards are maintained.
# Existing conductor paradigms
These changes don't create any changes to terminology, or have much impact for pre-existing views for components already built into conductor. It is likely that the majority of what has already been done will be preserved and only undergo minor changes to the HAML/SASS so that features may be integrated into the global view.
This has been written purely to start discussion on how we evolve Conductor going forward and I'd love to hear your thoughts: [andy.fitzsimon(a)redhat.com ](mailto:andy.fitzsimon@redhat.com)
12 years, 1 month
[PATCH conductor] BZ788048: Fix permission checking on pools/_images
by Imre Farkas
From: Imre Farkas <ifarkas(a)redhat.com>
https://bugzilla.redhat.com/show_bug.cgi?id=788048
---
src/app/views/pools/_images.html.haml | 33 +++++++++++++++++----------------
1 files changed, 17 insertions(+), 16 deletions(-)
diff --git a/src/app/views/pools/_images.html.haml b/src/app/views/pools/_images.html.haml
index c580d96..cf5513d 100644
--- a/src/app/views/pools/_images.html.haml
+++ b/src/app/views/pools/_images.html.haml
@@ -5,21 +5,22 @@
=image_tag 'flash_error_icon.png', :alt => 'Errors'
=flash[:error]
-else
- - @pool.catalogs.each do |catalog|
- %div.catalog_deployments_and_images
- %h1
- = catalog.name
- = t('.catalog')
- - catalog.deployables.each do |deployable|
- %h2
- = deployable.name
- = t('.deployable')
+ - if check_privilege(Privilege::VIEW, PoolFamily, @pool.pool_family)
+ - @pool.catalogs.each do |catalog|
+ %div.catalog_deployments_and_images
+ %h1
+ = catalog.name
+ = t('.catalog')
+ - catalog.deployables.each do |deployable|
+ %h2
+ = deployable.name
+ = t('.deployable')
- - deployable.fetch_images.compact.each do |image|
- %h3
- = t('.image')
- = "#{image.name} (#{image.uuid})"
+ - deployable.fetch_images.compact.each do |image|
+ %h3
+ = t('.image')
+ = "#{image.name} (#{image.uuid})"
- %ul
- - image.provider_images.each do |provider_image|
- %li= t('.pushed', :uuid => provider_image.uuid, :provider => provider_image.provider_name)
+ %ul
+ - image.provider_images.each do |provider_image|
+ %li= t('.pushed', :uuid => provider_image.uuid, :provider => provider_image.provider_name)
--
1.7.6.5
12 years, 1 month
[PATCH Conductor 1/7] bug 788148: Take environment into account for permission inheritance
by Scott Seago
https://bugzilla.redhat.com/show_bug.cgi?id=788148
Add 'pool family' to permission inheritance for various types. In addition, refactor permission queries to reduce the join complexity:
1) denormalize 'pool family' association into deployments, instances, etc. -- once created it never changes, so this reduces the number of joins for permissions
2) pre-generate a list of roles that include the desired privilege -- this keeps the permission queries from having to join permissions, roles, and privileges tables (all 3 tables) multiple times in a single query. Sometimes two queries are better than one. This resulted in significant speedup in queries where the user was granted permissions via the pool family.
---
src/app/models/catalog.rb | 27 +++++++++++++++
src/app/models/deployable.rb | 34 ++++++++++++++++++-
src/app/models/deployment.rb | 20 ++++++++---
src/app/models/instance.rb | 23 ++++++++-----
src/app/models/permissioned_object.rb | 8 ++--
src/app/models/pool.rb | 19 +++++++++++
src/app/models/provider_account.rb | 7 +---
.../20120227150102_add_pool_family_to_instance.rb | 32 ++++++++++++++++++
8 files changed, 144 insertions(+), 26 deletions(-)
create mode 100644 src/db/migrate/20120227150102_add_pool_family_to_instance.rb
diff --git a/src/app/models/catalog.rb b/src/app/models/catalog.rb
index 3472c59..307c4dd 100644
--- a/src/app/models/catalog.rb
+++ b/src/app/models/catalog.rb
@@ -32,6 +32,7 @@ class Catalog < ActiveRecord::Base
include PermissionedObject
belongs_to :pool
+ belongs_to :pool_family
has_many :catalog_entries, :dependent => :destroy
has_many :deployables, :through => :catalog_entries
has_many :permissions, :as => :permission_object, :dependent => :destroy,
@@ -39,12 +40,34 @@ class Catalog < ActiveRecord::Base
:order => "permissions.id ASC"
before_destroy :destroy_deployables_related_only_to_self
+ before_create :set_pool_family
validates_presence_of :pool
validates_presence_of :name
validates_uniqueness_of :name
validates_length_of :name, :maximum => 1024
+ def object_list
+ super + [pool, pool_family]
+ end
+ class << self
+ alias orig_list_for_user_include list_for_user_include
+ alias orig_list_for_user_conditions list_for_user_conditions
+ end
+
+ def self.list_for_user_include
+ orig_list_for_user_include + [ {:pool => :permissions},
+ {:pool_family => :permissions} ]
+ end
+
+ def self.list_for_user_conditions
+ "(#{orig_list_for_user_conditions}) or
+ (permissions_pools.user_id=:user and
+ permissions_pools.role_id in (:role_ids)) or
+ (permissions_pool_families.user_id=:user and
+ permissions_pool_families.role_id in (:role_ids))"
+ end
+
PRESET_FILTERS_OPTIONS = [
{:title => I18n.t("catalogs.preset_filters.belongs_to_default_pool"), :id => "belongs_to_default_pool", :query => includes(:pool).where("pools.name" => "Default")}
]
@@ -53,6 +76,10 @@ class Catalog < ActiveRecord::Base
deployables.each {|d| d.destroy if d.catalogs.count == 1}
end
+ def set_pool_family
+ self[:pool_family_id] = pool.pool_family_id
+ end
+
private
def self.apply_search_filter(search)
diff --git a/src/app/models/deployable.rb b/src/app/models/deployable.rb
index c77f094..ad537a7 100644
--- a/src/app/models/deployable.rb
+++ b/src/app/models/deployable.rb
@@ -34,9 +34,11 @@ class Deployable < ActiveRecord::Base
:order => "permissions.id ASC"
has_many :catalog_entries, :dependent => :delete_all
has_many :catalogs, :through => :catalog_entries
+ belongs_to :pool_family
belongs_to :owner, :class_name => "User", :foreign_key => "owner_id"
after_create "assign_owner_roles(owner)"
+ before_create :set_pool_family
scope :without_catalog, lambda {
deployable_ids_in_association = CatalogEntry.select(:deployable_id).map(&:deployable_id)
@@ -45,6 +47,30 @@ class Deployable < ActiveRecord::Base
PRESET_FILTERS_OPTIONS = []
+ def object_list
+ super + catalogs + catalogs.collect{|c| c.pool} + [pool_family]
+ end
+ class << self
+ alias orig_list_for_user_include list_for_user_include
+ alias orig_list_for_user_conditions list_for_user_conditions
+ end
+
+ def self.list_for_user_include
+ orig_list_for_user_include + [ {:catalogs => [:permissions,
+ {:pool => :permissions}]},
+ {:pool_family => :permissions} ]
+ end
+
+ def self.list_for_user_conditions
+ "(#{orig_list_for_user_conditions}) or
+ (permissions_catalogs.user_id=:user and
+ permissions_catalogs.role_id in (:role_ids)) or
+ (permissions_pools.user_id=:user and
+ permissions_pools.role_id in (:role_ids)) or
+ (permissions_pool_families.user_id=:user and
+ permissions_pool_families.role_id in (:role_ids))"
+ end
+
def valid_deployable_xml?
begin
deployable_xml = DeployableXML.new(xml)
@@ -133,12 +159,12 @@ class Deployable < ActiveRecord::Base
:assembly => assembly.name,
:uuid => assembly.image_id)
else
- if image.environment != catalogs.first.pool.pool_family.name
+ if image.environment != pool_family.name
deployable_errors << I18n.t("deployables.flash.error.wrong_environment",
:assembly => assembly.name,
:uuid => assembly.image_id,
:wrong_env => image.environment,
- :environment => catalogs.first.pool.pool_family.name)
+ :environment => pool_family.name)
end
images << image
assembly_hash[:build_and_target_uuids] = get_build_and_target_uuids(image)
@@ -186,6 +212,10 @@ class Deployable < ActiveRecord::Base
(latest_build ? latest_build.target_images.collect { |ti| ti.uuid} : nil)]
end
+ def set_pool_family
+ self[:pool_family_id] = catalogs.first.pool.pool_family_id
+ end
+
private
def self.apply_search_filter(search)
diff --git a/src/app/models/deployment.rb b/src/app/models/deployment.rb
index ec66fdb..c0c88b2 100644
--- a/src/app/models/deployment.rb
+++ b/src/app/models/deployment.rb
@@ -42,6 +42,7 @@ class Deployment < ActiveRecord::Base
end
belongs_to :pool
+ belongs_to :pool_family
has_many :instances, :dependent => :destroy
@@ -71,6 +72,8 @@ class Deployment < ActiveRecord::Base
before_create :inject_launch_parameters
before_create :generate_uuid
before_save :replace_special_characters_in_name
+ before_create :set_pool_family
+
USER_MUTABLE_ATTRS = ['name']
STATE_MIXED = "mixed"
@@ -105,7 +108,7 @@ class Deployment < ActiveRecord::Base
end
def object_list
- super << pool
+ super + [pool, pool_family]
end
class << self
alias orig_list_for_user_include list_for_user_include
@@ -113,16 +116,16 @@ class Deployment < ActiveRecord::Base
end
def self.list_for_user_include
- includes = orig_list_for_user_include
- includes << { :pool => {:permissions => {:role => :privileges}}}
- includes
+ orig_list_for_user_include + [ {:pool => :permissions},
+ {:pool_family => :permissions} ]
end
def self.list_for_user_conditions
"(#{orig_list_for_user_conditions}) or
(permissions_pools.user_id=:user and
- privileges_roles.target_type=:target_type and
- privileges_roles.action=:action)"
+ permissions_pools.role_id in (:role_ids)) or
+ (permissions_pool_families.user_id=:user and
+ permissions_pool_families.role_id in (:role_ids))"
end
def get_action_list(user=nil)
@@ -596,4 +599,9 @@ class Deployment < ActiveRecord::Base
def replace_special_characters_in_name
name.gsub!(/[^a-zA-Z0-9]+/, '-')
end
+
+ def set_pool_family
+ self[:pool_family_id] = pool.pool_family_id
+ end
+
end
diff --git a/src/app/models/instance.rb b/src/app/models/instance.rb
index 9027e24..09ec599 100644
--- a/src/app/models/instance.rb
+++ b/src/app/models/instance.rb
@@ -70,6 +70,7 @@ class Instance < ActiveRecord::Base
@@per_page = 15
belongs_to :pool
+ belongs_to :pool_family
belongs_to :provider_account
belongs_to :deployment
@@ -100,6 +101,7 @@ class Instance < ActiveRecord::Base
validates_length_of :name, :maximum => 1024
before_create :generate_uuid
+ before_create :set_pool_family
STATE_NEW = "new"
STATE_PENDING = "pending"
@@ -144,7 +146,7 @@ class Instance < ActiveRecord::Base
USER_MUTABLE_ATTRS = ['name']
def object_list
- super + [pool, deployment]
+ super + [deployment, pool, pool_family]
end
class << self
alias orig_list_for_user_include list_for_user_include
@@ -152,20 +154,19 @@ class Instance < ActiveRecord::Base
end
def self.list_for_user_include
- includes = orig_list_for_user_include
- includes << { :pool => {:permissions => {:role => :privileges}},
- :deployment => {:permissions => {:role => :privileges}}}
- includes
+ orig_list_for_user_include + [ {:deployment => :permissions},
+ {:pool => :permissions},
+ {:pool_family => :permissions} ]
end
def self.list_for_user_conditions
"(#{orig_list_for_user_conditions}) or
(permissions_deployments.user_id=:user and
- privileges_roles.target_type=:target_type and
- privileges_roles.action=:action) or
+ permissions_deployments.role_id in (:role_ids)) or
(permissions_pools.user_id=:user and
- privileges_roles_2.target_type=:target_type and
- privileges_roles_2.action=:action)"
+ permissions_pools.role_id in (:role_ids)) or
+ (permissions_pool_families.user_id=:user and
+ permissions_pool_families.role_id in (:role_ids))"
end
def get_action_list(user=nil)
@@ -511,6 +512,10 @@ class Instance < ActiveRecord::Base
self[:uuid] = UUIDTools::UUID.timestamp_create.to_s
end
+ def set_pool_family
+ self[:pool_family_id] = pool.pool_family_id
+ end
+
def do_operation(user, operation)
@task = self.queue_action(user, operation)
unless @task
diff --git a/src/app/models/permissioned_object.rb b/src/app/models/permissioned_object.rb
index 36a2f25..c534261 100644
--- a/src/app/models/permissioned_object.rb
+++ b/src/app/models/permissioned_object.rb
@@ -59,20 +59,20 @@ module PermissionedObject
self.name.constantize
end
def self.list_for_user_include
- [{:permissions => {:role => :privileges}}]
+ [:permissions]
end
def self.list_for_user_conditions
"permissions.user_id=:user and
- privileges.target_type=:target_type and
- privileges.action=:action"
+ permissions.role_id in (:role_ids)"
end
def self.list_for_user(user, action, target_type=self.default_privilege_target_type)
return where("1=0") if user.nil? or action.nil? or target_type.nil?
if BasePermissionObject.general_permission_scope.has_privilege(user, action, target_type)
scoped
else
+ role_ids = Role.includes(:privileges).where("privileges.target_type" => target_type, "privileges.action" => action).collect {|r| r.id}
include_clause = self.list_for_user_include
- conditions_hash = {:user => user.id, :target_type => target_type.name, :action => action}
+ conditions_hash = {:user => user.id, :target_type => target_type.name, :action => action, :role_ids => role_ids}
conditions_str = self.list_for_user_conditions
includes(include_clause).where(conditions_str, conditions_hash)
end
diff --git a/src/app/models/pool.rb b/src/app/models/pool.rb
index be3d156..3fce49b 100644
--- a/src/app/models/pool.rb
+++ b/src/app/models/pool.rb
@@ -137,6 +137,25 @@ class Pool < ActiveRecord::Base
{:title => I18n.t("pools.preset_filters.with_stopped_instances"), :id => "with_stopped_instances", :query => includes(:deployments => :instances).where("instances.state" => "stopped")}
]
+ def object_list
+ super + [pool_family]
+ end
+ class << self
+ alias orig_list_for_user_include list_for_user_include
+ alias orig_list_for_user_conditions list_for_user_conditions
+ end
+
+ def self.list_for_user_include
+ orig_list_for_user_include + [ {:pool_family => :permissions} ]
+ end
+
+ def self.list_for_user_conditions
+ "(#{orig_list_for_user_conditions}) or
+ (permissions_pool_families.user_id=:user and
+ permissions_pool_families.role_id in (:role_ids))"
+ end
+
+
private
def self.apply_search_filter(search)
diff --git a/src/app/models/provider_account.rb b/src/app/models/provider_account.rb
index eff59f9..1e0ed69 100644
--- a/src/app/models/provider_account.rb
+++ b/src/app/models/provider_account.rb
@@ -115,16 +115,13 @@ class ProviderAccount < ActiveRecord::Base
end
def self.list_for_user_include
- includes = orig_list_for_user_include
- includes << { :provider => {:permissions => {:role => :privileges}}}
- includes
+ orig_list_for_user_include + [{ :provider => :permissions}]
end
def self.list_for_user_conditions
"(#{orig_list_for_user_conditions}) or
(permissions_providers.user_id=:user and
- privileges_roles.target_type=:target_type and
- privileges_roles.action=:action)"
+ permissions_providers.role_id in (:role_ids))"
end
def destroyable?
diff --git a/src/db/migrate/20120227150102_add_pool_family_to_instance.rb b/src/db/migrate/20120227150102_add_pool_family_to_instance.rb
new file mode 100644
index 0000000..00848ba
--- /dev/null
+++ b/src/db/migrate/20120227150102_add_pool_family_to_instance.rb
@@ -0,0 +1,32 @@
+class AddPoolFamilyToInstance < ActiveRecord::Migration
+ def self.up
+ add_column :instances, :pool_family_id, :integer
+ add_column :deployments, :pool_family_id, :integer
+ add_column :catalogs, :pool_family_id, :integer
+ add_column :deployables, :pool_family_id, :integer
+
+ Deployment.all.each do |deployment|
+ deployment.pool_family_id = deployment.pool.pool_family_id
+ deployment.save!
+ end
+ Instance.all.each do |instance|
+ instance.pool_family_id = instance.pool.pool_family_id
+ instance.save!
+ end
+ Catalog.all.each do |catalog|
+ catalog.pool_family_id = catalog.pool.pool_family_id
+ catalog.save!
+ end
+ Deployable.all.each do |deployable|
+ deployable.pool_family_id = deployable.catalogs.first.pool_family_id unless deployable.catalogs.empty?
+ deployable.save!
+ end
+ end
+
+ def self.down
+ remove_column :instances, :pool_family_id
+ remove_column :deployments, :pool_family_id
+ remove_column :catalogs, :pool_family_id
+ remove_column :deployables, :pool_family_id
+ end
+end
--
1.7.6.4
12 years, 1 month
[PATCH configure] BZ 798440 - /etc/aeolus-configure/nodes/* should be not be world readable
by Richard Su
https://bugzilla.redhat.com/show_bug.cgi?id=798440
Also changed permissions of /etc/imagefactory/imagefactory.conf to 0600.
---
contrib/aeolus-configure.spec.in | 1 +
recipes/aeolus/manifests/image-factory.pp | 3 +++
2 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/contrib/aeolus-configure.spec.in b/contrib/aeolus-configure.spec.in
index 60aa246..9fae261 100644
--- a/contrib/aeolus-configure.spec.in
+++ b/contrib/aeolus-configure.spec.in
@@ -58,6 +58,7 @@ Aeolus Configure Puppet Recipe
%attr(0755, root, root) %{_sbindir}/aeolus-configure
%attr(0755, root, root) %{_sbindir}/aeolus-cleanup
%config(noreplace) %{_sysconfdir}/aeolus-configure/*
+%attr(0600, root, root) %{_sysconfdir}/aeolus-configure/nodes/*
%attr(0755, root, root) %{_bindir}/aeolus-check-services
%attr(0755, root, root) %{_sbindir}/aeolus-restart-services
%{aeolushome}
diff --git a/recipes/aeolus/manifests/image-factory.pp b/recipes/aeolus/manifests/image-factory.pp
index 744f9c2..7c2838b 100644
--- a/recipes/aeolus/manifests/image-factory.pp
+++ b/recipes/aeolus/manifests/image-factory.pp
@@ -57,6 +57,9 @@ class aeolus::image-factory inherits aeolus {
hasstatus => true,
require => Package['libvirt']}
+ file { "/etc/imagefactory/imagefactory.conf":
+ mode => 0600 }
+
augeas { 'imagefactory.conf':
incl => '/etc/imagefactory/imagefactory.conf',
lens => 'Json.lns',
--
1.7.7.6
12 years, 1 month