Bug 1728985
| Summary: | Disable Chargeback menu when user has no permission to view report | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Yadan Pei <yapei> |
| Component: | Management Console | Assignee: | David Taylor <dtaylor> |
| Status: | CLOSED ERRATA | QA Contact: | Yadan Pei <yapei> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.2.0 | CC: | aos-bugs, chancez, jokerman, mmccomas, spadgett, yapei |
| Target Milestone: | --- | ||
| Target Release: | 4.2.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-10-16 06:33:27 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Yadan Pei
2019-07-11 07:12:09 UTC
Is this the desired fix? I notice as a normal user if I goto Operators -> Operator Management, I see a similar message with the "Restricted Access" sign post. "subscriptions.operators.coreos.com is forbidden: User "test" cannot list resource "subscriptions" in API group "operators.coreos.com" in the namespace "default" Actually, I get the same "Restricted Access" sign post going to any page under Workloads (Pods, Deployments, etc..). Same for everything under Networking and Builds. This seems to be the standard way we are handling this. This is consistent with other places in console if the reports are namespaced. We've made no RBAC changes to the left nav for any namespaced resource to this point. The problem is that you can switch between namespaces while staying on the same nav item. If we remove the item from the nav or disable it, things get a little weird if you're on the secrets page and change to a namespace where you have no access. It's also expensive since self-subject access reviews would require at least one request for every nav item for every namespace you select (and there are a lot of nav items). We might want to try to do something if normal users aren't expected to be able to see chargeback reports, though. Chance -- What users will be able to view these reports in a default install? Talking to Chance, we might want to limit the UI to only get reports in openshift-metering. Then we can check specifically for the user's permissions in that namespace and hide the nav item appropriately. Most users won't be able to list these reports. Normal user can't view Administration -> Chargeback now, even cluster-reader. I will double confirm when a user is added into `reporting-readers` group The original issue reported has been fixed, Verified on 4.2.0-0.nightly-2019-08-25-233755 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2922 No longer needs info, since we resolved in slack and this has been fixed in the release mentioned in the errata. |