Bug 1775752

Summary: User with lack of permissions to create Operator subscription can see the Create button - No UI Feedback
Product: OpenShift Container Platform Reporter: Samuel Padgett <spadgett>
Component: Management ConsoleAssignee: Samuel Padgett <spadgett>
Status: CLOSED ERRATA QA Contact: Yadan Pei <yapei>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.3.0CC: aballant, aos-bugs, jokerman, yapei
Target Milestone: ---   
Target Release: 4.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1775672 Environment:
Version: 4.3.0-0.ci-2019-11-21-103638 Cluster ID: 88de250b-5ad7-4383-80bb-18e18dbaf8c2 Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36
Last Closed: 2020-01-23 11:13:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1775672    
Bug Blocks:    

Description Samuel Padgett 2019-11-22 17:27:15 UTC 
+++ This bug was initially created as a clone of Bug #1775672 +++

Description of problem:
When using a non-kubeadmin user, there was a need to have the Pipelines Operator installed. Navigating to the OperatorHub and finding the Operator was not an issue. However, when attempting to subscribe, I hit a 403 Forbidden error but nothing was rendered in the UI.

Version-Release number of selected component (if applicable): 4.3.0-0.ci-2019-11-21-103638


How reproducible: 100%


Steps to Reproduce:
1. Log in as a user without permissions to create an Operator subscription but has view access (see additional info for the script I used to create the user)
2. Navigate to the OperatorHub
3. Search for OpenShift Pipelines Operator
4. Click on the card and hit the Install button
5. Once the "Create Operator Subscription" page loads click the Subscribe button

Actual results:
Nothing happens, error in the console (attached)


Expected results:
Not to be able to get this far into the Operator Hub or to at least see an error in the UI that informs me I don't need to try to click the button again.


Additional info:
Script used to create the user is found here: https://github.com/redhat-developer/devconsole-operator/blob/master/hack/install_devconsole/create_user.sh

--- Additional comment from Andrew Ballantyne on 2019-11-22 14:42:57 UTC ---



--- Additional comment from Samuel Padgett on 2019-11-22 17:25:09 UTC ---

Making this high severity since we're suppressing any error creating the subscription.
Comment 2 Yadan Pei 2019-11-27 03:08:16 UTC 
1. Grant user cluster-reader role
$ oc adm policy add-cluster-role-to-user cluster-reader yapei1 
clusterrole.rbac.authorization.k8s.io/cluster-reader added: "yapei1"

2. Try to subscribe an operator via Operators -> Operator Hub -> Install -> Subscribe, error message will be shown on page
An error occurred
subscriptions.operators.coreos.com is forbidden: User "yapei1" cannot create resource "subscriptions" in API group "operators.coreos.com" in the namespace "openshift-operators"


Verified on 4.3.0-0.nightly-2019-11-26-171052
Comment 4 errata-xmlrpc 2020-01-23 11:13:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0062