Bug 1720603
| Summary: | Ordinary users can't create VM or VMT with Wizard from the web console | ||
|---|---|---|---|
| Product: | Container Native Virtualization (CNV) | Reporter: | Qixuan Wang <qixuan.wang> |
| Component: | User Experience | Assignee: | Filip Krepinsky <fkrepins> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Radim Hrazdil <rhrazdil> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 2.0 | CC: | cnv-qe-bugs, gouyang, ncredi, rhrazdil, tjelinek |
| Target Milestone: | --- | ||
| Target Release: | 2.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | v2.0.0-14.8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-07-29 07:24:06 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Qixuan Wang
2019-06-14 10:55:09 UTC
@Qixuan, what clusterRoles did you assign to the user? Edit or View? reference: https://kubevirt.io/user-guide/docs/latest/administration/authorization.html#kubevirt-default-rbac-clusterroles @Tomas, There is a difference between our test case and the document, our case says user without admin role could not "interact with 'Create Virtual Machine' button, search field and others", the document says user with edit role should be able to create vm from the wizard. I think we need to review the policy for UI. Could you please clarify the permission for different roles on UI and QE might need to update the test case and re-test it. https://polarion.engineering.redhat.com/polarion/#/project/CNV/workitem?id=CNV-1718 https://kubevirt.io/user-guide/docs/latest/administration/authorization.html#kubevirt-default-rbac-clusterroles (In reply to Guohua Ouyang from comment #2) > @Tomas, > There is a difference between our test case and the document, our case says > user without admin role could not "interact with 'Create Virtual Machine' > button, search field and others", the document says user with edit role > should be able to create vm from the wizard. I think we need to review the > policy for UI. > > Could you please clarify the permission for different roles on UI and QE > might need to update the test case and re-test it. > > https://polarion.engineering.redhat.com/polarion/#/project/CNV/ > workitem?id=CNV-1718 > https://kubevirt.io/user-guide/docs/latest/administration/authorization. > html#kubevirt-default-rbac-clusterroles It's based on it's ClusterRoleBinding or RoleBinding. If it's RoleBinding, user access permission is limited to the NS. If it's ClusterRoleBinding, users receive the permissions granted by the role across all namespaces. (In reply to Guohua Ouyang from comment #2) > @Tomas, > There is a difference between our test case and the document, our case says > user without admin role could not "interact with 'Create Virtual Machine' > button, search field and others", the document says user with edit role > should be able to create vm from the wizard. I think we need to review the > policy for UI. they actually match. In the test case you have: 1: Navigate to VM in default namespace -> User should not be able to interact with 'Create Virtual Machine' button, search field and others. 2: Navigate to projects and create new namespace -> ... -> User should be able to create new a Virtual Machine (either using wizard or yaml) e.g. you need to have edit role on the namespace in which you want to create a VM. > > Could you please clarify the permission for different roles on UI and QE > might need to update the test case and re-test it. > > https://polarion.engineering.redhat.com/polarion/#/project/CNV/ > workitem?id=CNV-1718 > https://kubevirt.io/user-guide/docs/latest/administration/authorization. > html#kubevirt-default-rbac-clusterroles The problem was that we were expecting list privileges of VMs in all namespaces. not relevant other observations: I tried your script and it also seems that you are missing roles for listing - virtualmachineinstancemigrations (impacts status in VM list). - network-attachment-definitions (impacts NAD selection in VM dialog / NICs) (In reply to Guohua Ouyang from comment #1) > @Qixuan, what clusterRoles did you assign to the user? Edit or View? > > reference: > https://kubevirt.io/user-guide/docs/latest/administration/authorization. > html#kubevirt-default-rbac-clusterroles For OpenShift, if a namespace is created by a normal user with `oc new-project xxx`, then that normal user will be in the admin rolebindings of the namespace. It's implemented by projectrequest resource. Verified the flow given in the description. kubevirt-web-ui-container-v2.0.0-14.8 HCO v2.0.0-33 |