Bug 1761041

Summary: non-admin can open vm wizard dialog in other namespace
Product: OpenShift Container Platform Reporter: Guohua Ouyang <gouyang>
Component: Console Kubevirt PluginAssignee: Gilad Lekner <glekner>
Status: CLOSED ERRATA QA Contact: Nelly Credi <ncredi>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.2.0CC: aos-bugs, cnv-qe-bugs, gouyang, jokerman, mmccomas, ncredi, spadgett, tjelinek, yapei, yzamir
Target Milestone: ---   
Target Release: 4.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: wrong permissions detection Consequence: non-admin user can open the vm wizard dialog in foreign namespace Fix: fixed permissions detection Result: non-admin user can no longer open the vm wizard dialog in foreign namespace
 Story Points: ---
Clone Of: 1728523 Environment:
Last Closed: 2020-01-23 11:07:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Guohua Ouyang 2019-10-12 03:33:03 UTC 
+++ This bug was initially created as a clone of Bug #1728523 +++

Description of problem:
Create a non-admin user, login with the non-admin user and try to access the vm page in a project like 'default'(change the ns in the URL), it can open the vm wizard and yaml dialog. The expectation is user should not be able to open the wizard and yaml in other namespace.

If it's the yaml dialog, the default namespace is 'default', create vm from the yaml will pop up a forbidden error meessage.
If it's the wizard dialog, it can only choose these namespace are available to the current user, continue with the wizard, it can create the vm successfully.

Since user cannot navigate the project which is not available to him, user almost can't hit this issue.

Version-Release number of selected component (if applicable):
HCO-36
kubevirt-web-ui:v2.0.0-14.8
kubevirt:v0.17.4


How reproducible:
100%

Steps to Reproduce:
1. create a non-admin user
2. login the non-admin user on ui
3. change the url to "https://kubevirt-web-ui.apps.working.oc4/k8s/ns/default/virtualmachines"
4. try to open vm wizard

Actual results:
The wizard is opened

Expected results:
Non admin user should not be able to use vm dialog in other namespace.

Additional info:

--- Additional comment from Nelly Credi on 2019-07-16 20:37:36 CST ---

I wonder if its not an OCP issue. can we try it with other OCP objects? (pods)

--- Additional comment from Guohua Ouyang on 2019-07-16 22:45:12 CST ---

ya, it's the same behaviour on OCP objects, so this is not be a bug or let move it to OCP?

--- Additional comment from Tomas Jelinek on 2019-07-16 23:13:14 CST ---

please move it to OCP and add reproduction steps for a non-cnv specific object.

--- Additional comment from Guohua Ouyang on 2019-07-17 10:55:25 CST ---

Move this to OCP, consoleVersion":"v4.1.4-201906271212". Reproduce steps:
1. Create a non-admin user and login the web console with this user.
2. Change the NS which the non-admin user doesn't own it, like 'default' in the URL.
3. There is error 'pods is forbidden: User "test" cannot list resource "pods" in API group "" in the namespace "default"' shows in the page.
4. Click button 'Create Pod', the dialog is opened.

My expectation on step 4 is the non-admin should not be able to use the the button "Create Pod" and the opened dialog.

--- Additional comment from Samuel Padgett on 2019-07-19 18:46:02 CST ---

This been addressed in 4.2 by https://github.com/openshift/console/pull/1559

--- Additional comment from errata-xmlrpc on 2019-07-19 19:39:34 CST ---

Bug report changed to ON_QA status by Errata System.
A QE request has been submitted for advisory RHBA-2019:43533-01
https://errata.devel.redhat.com/advisory/43533

--- Additional comment from Yadan Pei on 2019-07-23 18:10:02 CST ---

When a non-admin user views workloads page of other projects via URL such as /k8s/ns/default/pods

An empty page will be returned and you can see `403 (Forbidden)` in F12 dev tools


Does it meet your requirement?

--- Additional comment from Samuel Padgett on 2019-07-23 19:51:10 CST ---

When you say empty page, do you mean totally blank or is there a message? The page should not be totally blank.

--- Additional comment from Guohua Ouyang on 2019-07-23 20:19:47 CST ---

I don't have an environment to verify this, could you capture a screenshot for it?

--- Additional comment from Yadan Pei on 2019-07-24 09:40:20 CST ---



--- Additional comment from Yadan Pei on 2019-07-24 09:42:00 CST ---



--- Additional comment from Yadan Pei on 2019-07-24 09:45:39 CST ---

I attached two screenshots

NormalUserViewDefaultPods: When user has a project and view pods in default namespace
NormalUserWithoutProjectsViewDefaultPods: A totally fresh new user view pods in default namespace

I think we should return 403 Forbidden error page instead of a blank page

--- Additional comment from Samuel Padgett on 2019-07-28 01:39:10 CST ---

Yadan, can you open a second bug for the issue you're seeing? It's a different problem than the original bug and specific to 4.2. The original RBAC issue with create buttons has been fixed, so we should make sure that's tracked separately and appears in the errata.

Based on my testing, there was a regression during 4.2 development where the pods page is not properly updating when switching projects and receiving the 403 response from the server. The Redux ID with the new project name is not properly getting passed down from Firehose to the Table component.

Also, can you provide exact steps for how you tested this? How you got to the pods page could matter (typing in the URL or navigating to it through the UI).

--- Additional comment from Guohua Ouyang on 2019-07-29 09:38:54 CST ---

There is no screenshot about the 'edit' permission, I assume if a user has 'edit' permission, the button 'create pods' is available.
I don't mind to move this bug to 'veified' since the UI objects aren't available to a user who don't have permission to use it.

--- Additional comment from Yadan Pei on 2019-07-29 10:33:18 CST ---


(In reply to Samuel Padgett from comment #13)
> Yadan, can you open a second bug for the issue you're seeing? It's a
> different problem than the original bug and specific to 4.2. The original
> RBAC issue with create buttons has been fixed, so we should make sure that's
> tracked separately and appears in the errata.
ok, I will
> 
> Based on my testing, there was a regression during 4.2 development where the
> pods page is not properly updating when switching projects and receiving the
> 403 response from the server. The Redux ID with the new project name is not
> properly getting passed down from Firehose to the Table component.
> 
> Also, can you provide exact steps for how you tested this? How you got to
> the pods page could matter (typing in the URL or navigating to it through
> the UI).
Sure, I will

Moving this bug to VERIFIED since the origin RBAC issue has been fixed:

When a non-admin user views workloads page of other projects via URL such as /k8s/ns/default/pods, an empty page will be returned

No Create buttons
Comment 1 Guohua Ouyang 2019-10-12 03:37:19 UTC 
Reopen this bug to kubevirt console.
The "Create" button is still available to non-admin on vm wizard page, but not vm template page and other OCP pages.

Console: OpenShift Version
4.2.0-0.nightly-2019-10-08-232417
Comment 2 Tomas Jelinek 2019-10-14 07:13:07 UTC 
since the user can hardly hit this issue, certainly not a zstream material. Targeting next release.
Comment 5 Gilad Lekner 2019-11-12 12:59:12 UTC 
PR: https://github.com/openshift/console/pull/3353
Comment 7 Guohua Ouyang 2019-11-25 03:48:25 UTC 
It has different behaviors on VM and VM Templates page.

- On VM page, the "Create with wizard" button is not showing anymore, just like the looks on Pods page.

- On VM template page, it shows an error like below.
  templates.template.openshift.io is forbidden: User "test" cannot list resource "templates" in API group "template.openshift.io" in the namespace "default".

Not sure which one is correct, I think we need to remove the error showing on the VM template page.
Comment 8 Gilad Lekner 2019-11-25 09:37:37 UTC 
I'm getting the same behaviour for Pods, VM, and VM Templates page

Screenshots - 
https://drive.google.com/file/d/1QxCx4vo5PZKsRkdjZsenmDQ1AaZFycx9/view?usp=sharing
https://drive.google.com/file/d/1Uz-a5KFn39aKL5njX2DZ-38C4NNbxRKK/view?usp=sharing
https://drive.google.com/file/d/1yAr-bkEFQl1dR-lM-yos7lPUpIFU4qrP/view?usp=sharing

Can you provide more info @Guohua
Comment 9 Guohua Ouyang 2019-11-25 09:49:11 UTC 
The version I used is 4.3.0-0.nightly-2019-11-21-122827, do you think is it a good one?
Comment 10 Guohua Ouyang 2019-11-27 10:40:36 UTC 
Move the bug to be verified as normal user cannot use VM wizard any more regardless the different results on VM and VM Templates page.
Comment 13 Guohua Ouyang 2019-11-29 02:52:12 UTC 
must not be private?
Comment 15 errata-xmlrpc 2020-01-23 11:07:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0062