Bug 1857843

Summary: Cluster upgrade notifications have no RBAC checks
Product: OpenShift Container Platform Reporter: Samuel Padgett <spadgett>
Component: Management ConsoleAssignee: Robb Hamilton <rhamilto>
Status: CLOSED ERRATA QA Contact: Yadan Pei <yapei>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.6CC: aos-bugs, jokerman, pstrick
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 1877083 (view as bug list) Environment:
Version: 4.6.0-0.ci-2020-07-16-091855 Cluster ID: 818a2c63-5921-4991-96ea-0e983fb26e17 Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
Last Closed: 2020-10-27 16:15:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1877083    
Attachments:
Description Flags
Verification screenshot
none
user without RBAC could not see the clusterversion by url which is hidden from menu
none
hidden menu
none
user has edit permission could see the Edit button none

Description Samuel Padgett 2020-07-16 16:26:03 UTC
Currently we show cluster upgrades to anyone who can get the ClusterVersion resource. We don't check if the user is able to actually able to edit the ClusterVersion to start an upgrade. We should avoid showing the notification to users who can't act on it.

For users who are unable to patch the ClusterVersion resource, we should

1. Hide the upgrade notification in the notification drawer, home -> status page, and about dialog
2. Remove the edit channel and start upgrade buttons from the cluster settings page

Comment 3 XiaochuanWang 2020-07-28 06:21:26 UTC
Created attachment 1702608 [details]
Verification screenshot

Comment 4 XiaochuanWang 2020-07-28 06:28:14 UTC
Checked by cluster-reader user, just as attached screenshot, RBAC works now.
Verified on 4.6.0-0.nightly-2020-07-25-091217

Comment 6 XiaochuanWang 2020-09-09 01:40:59 UTC
Created attachment 1714197 [details]
user without RBAC could not see the clusterversion by url which is hidden from menu

Comment 7 XiaochuanWang 2020-09-09 01:41:52 UTC
Created attachment 1714198 [details]
hidden menu

Comment 8 XiaochuanWang 2020-09-09 01:49:51 UTC
Created attachment 1714199 [details]
user has edit permission could see the Edit button

Comment 9 XiaochuanWang 2020-09-09 01:50:28 UTC
The user has only cluster-reader RBAC and visit Cluster Settings page and see the clusterversion, but could not see the Edit button. This was Verified as comment 4.

The user has no cluster-reader RBAC could not see the menus and will get Restricted Access error message if visit directly by url. Attached the screenshot for compare.

The user has RBAC of ClusterVersion edit permission could see the Edit button on Cluster Versions page. Also attached the screenshot for compare.

Comment 11 errata-xmlrpc 2020-10-27 16:15:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196