Bug 1732087

Summary: The button on the OpenShift console for editing the configmap gets disabled after removing the resourceNames
Product: OpenShift Container Platform Reporter: Saurabh Sadhale <ssadhale>
Component: Management ConsoleAssignee: Samuel Padgett <spadgett>
Status: CLOSED ERRATA QA Contact: Yadan Pei <yapei>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.11.0CC: aos-bugs, eparis, jokerman, mmccomas, spadgett, yanpzhan
Target Milestone: ---   
Target Release: 4.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Previously, the web console did not handle access control checks for resources when permission was given for a specific resource by name rather than all resources by type. This meant that the resource would be read-only in the UI, and you would have to edit the resource using the oc command. This has been addressed in 4.2. The web console now more accurately handles permissions, performing self-subject access reviews on individual resources.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-16 06:30:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 1 Samuel Padgett 2019-07-23 12:00:36 UTC 
This is a limitation of how we performed RBAC checks in 3.11. It has been addressed in OpenShift 4.2 where we have switched to SelfSubjectAccessReview requests for more precise checks.

https://github.com/openshift/console/pull/1559
Comment 4 Yanping Zhang 2019-07-24 08:37:06 UTC 
4.2.0-0.nightly-2019-07-24-000310
console image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:f58dc76257ca8c4abf49c18cc982a529a0edbb797e921a4a7a02ad6909ac1112

Tried the scenario in comment 1 on ocp 4.2 env with above version with step:
1. Create the both the roles as mentioned in comment 1. 
2. Grant both the role to the user to view namespaces/projects and edit configmaps
3. Try logging in to the console and then try editing the configmap. Now the "Save" button on edit yaml page is enabled. Update content in the configmap, then click "Save", it succeeds.
Comment 7 errata-xmlrpc 2019-10-16 06:30:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922