Bug 1775672
| Summary: | User with lack of permissions to create Operator subscription can see the Create button - No UI Feedback | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Andrew Ballantyne <aballant> | ||||||
| Component: | Management Console | Assignee: | Samuel Padgett <spadgett> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Yadan Pei <yapei> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 4.3.0 | CC: | aballant, aos-bugs, jokerman, yapei | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | 4.4.0 | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: |
Previously, no error message was displayed when subscribing to an operator failed in the web console. A detailed error message is now displayed.
|
Story Points: | --- | ||||||
| Clone Of: | |||||||||
| : | 1775752 (view as bug list) | Environment: |
Version: 4.3.0-0.ci-2019-11-21-103638
Cluster ID: 88de250b-5ad7-4383-80bb-18e18dbaf8c2
Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36
|
||||||
| Last Closed: | 2020-05-04 11:16:20 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 1775752 | ||||||||
| Attachments: |
|
||||||||
|
Description
Andrew Ballantyne
2019-11-22 14:42:15 UTC
Created attachment 1638767 [details]
Console Error
Making this high severity since we're suppressing any error creating the subscription. To reproduce this problem, assign a user the cluster-reader role. They'll be able to see the OperatorHub UI, but creating subscriptions will silently fail. > Expected results:
> Not to be able to get this far into the Operator Hub or to at least see an
> error in the UI that informs me I don't need to try to click the button
> again.
Unfortunately, there's no good check we can make before the user gets to this page. You pick the namespace inside this form, and you can have different permissions for different namespaces. We might be able to show a message for the selected namespace before submit, however.
Regardless we need to handle other creation errors.
That's understandable... the error does display a 403 Forbidden, so at least that would inform me that I don't have access to this action (subscribe to the operator). Perhaps nothing has to happen prior to that as you may not know if the user has permissions to everything that is happening. 1. Assign testuser-0 as cluster-reader $ oc adm policy add-cluster-role-to-user cluster-reader testuser-0 Warning: User 'testuser-0' not found clusterrole.rbac.authorization.k8s.io/cluster-reader added: "testuser-0" 2. login console as testuser-0, Operators -> Operator Hub -> OpenShift Pipeline Operator -> Install -> click Subscribe button. An error message will show on page instead of fail silently An error occurred subscriptions.operators.coreos.com is forbidden: User "testuser-0" cannot create resource "subscriptions" in API group "operators.coreos.com" in the namespace "openshift-operators" Verified on 4.4.0-0.nightly-2019-11-25-183933 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0581 |