Bug 1942027

Summary: PersistentVolume yaml editor is read-only with system:persistent-volume-provisioner ClusterRole
Product: OpenShift Container Platform Reporter: OpenShift BugZilla Robot <openshift-bugzilla-robot>
Component: Management ConsoleAssignee: Samuel Padgett <spadgett>
Status: CLOSED ERRATA QA Contact: Yanping Zhang <yanpzhan>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.3.0CC: afrahman, aos-bugs, efried, jhadvig, jokerman, nthomas, rhamilto, spadgett, yapei
Target Milestone: ---   
Target Release: 4.7.z   
Hardware: x86_64   
OS: Linux   
Whiteboard: Scrubbed
Fixed In Version: Doc Type: Bug Fix
Doc Text:
The web console YAML editor was incorrectly set to read-only mode when a user had permission to create a resource, but not permission to edit it. The editor content is now correctly editable when the user has create access for the resource.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-19 15:15:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1824911    
Bug Blocks:    

Description OpenShift BugZilla Robot 2021-03-23 13:16:13 UTC 
+++ This bug was initially created as a clone of Bug #1824911 +++

Description of problem:

When I have permission to create PVs via a ClusterRoleBinding tying my group to the system:persistent-volume-provisioner role, the YAML editor in the Storage => PersistentVolumes => Create Persistent Volume window is read-only, in the sense that I cannot edit the content.

I am still able to drag-and-drop a premade file into the editor and its content appears properly.

I am still able to create the PV successfully after doing that, as well as from the generic `+` in the top right corner (whose editor is writable), and the command line.

When I'm a member of osd-sre-cluster-admins, the editor is writable. I haven't tried to isolate what osd-sre-cluster-admins have that's making the difference.

Version-Release number of selected component (if applicable):
4.3

How reproducible:
Every time.

Steps to Reproduce:
On qaprodauth (haven't tried this in prod):
1. Create AWS-backed OSD cluster (haven't tried with other combinations)
2. Log into the web UI as OpenShift_SRE, navigate to Storage => Persistent Volumes. The "Create Persistent Volume" button is absent, as expected.
3. Elevate privileges (I do this by adding self to the osd-sre-cluster-admins group)
4. Create a ClusterRoleBinding like:

 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: system:persistent-volume-provisioner-for-sre
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: system:persistent-volume-provisioner
 subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: Group
   name: osd-sre-admins

5. Drop privileges (remove self from osd-sre-cluster-admins)
6. Refresh the web UI or log in again.
7. The Storage => Persistent Volumes page now has the "Create Persistent Volume" button. Punch it.
   a. Attempt to edit the text in the YAML editor. This fails (popover complains that the editor is read-only).
   b. Open a file explorer, find a YAML file for a legit PV, and drag-and-drop it into the editor. This succeeds (the text is replaced with the file contents).
   c. Punch the Create button. This works -- the PV is created.

Actual results:
Per 7.a. the YAML editor is read-only.

Expected results:
The YAML editor is writable.

Additional info:
We originally observed this via an OAuth'd user created in `dedicated-admins` to simulate the customer. In that scenario, the ClusterRoleBinding differed only in that the subjects[0].name was `dedicated-admins` rather than `osd-sre-admins`. Otherwise the observed behavior was the same.

--- Additional comment from rhamilto on 2020-05-07 14:33:38 UTC ---

Reassigning to Console Storage Plugin since they own this functionality.

--- Additional comment from nthomas on 2020-05-12 11:32:33 UTC ---

Low priority issue, moving to 4.6

--- Additional comment from nthomas on 2021-02-13 08:46:16 UTC ---

Moving out to 4.8

--- Additional comment from prasriva on 2021-02-20 19:55:15 UTC ---

Hello Eric.


I don't have access to some of the resources (namely OSD cluster, Openshift_SRE credentials, and the apiGroup privileges) that are described in your aforementioned comment, hence I'm unable to reproduce this on my machine.

Would it be possible for you to grant me testing access to them (or a similar environment that depicts your bug successfully, maybe a VM?) so that I can take a look at what may be causing this bug?

--- Additional comment from prasriva on 2021-02-24 07:47:20 UTC ---

This is a generic issue, it happens with all the resources. Moving it to Management Console.

--- Additional comment from rhamilto on 2021-02-24 15:48:48 UTC ---

Will investigate next sprint.

--- Additional comment from rhamilto on 2021-03-15 14:43:20 UTC ---

Reassigning to Jakub since he's better equipped to fix RBAC issues.

--- Additional comment from spadgett on 2021-03-22 13:57:12 UTC ---

Can you confirm you can edit the resource via the CLI? We rely on self-subject access reviews to determine if the editor should be read-only. Note that you need `update` authority on the resource, not just `patch`.

--- Additional comment from efried on 2021-03-22 15:28:20 UTC ---

I've spun up a fresh cluster to test this. Let me know if you would like access to poke around.

> Can you confirm you can edit the resource via the CLI?

Indeed, I cannot edit PVs (in the UI or CLI) as the system:persistent-volume-provisioner clusterrole does not have PV patch or update permissions:

```
- apiGroups:
  - ""
  resources:
  - persistentvolumes
  verbs:
  - create
  - delete
  - get
  - list
  - watch
```

When I add those permissions to the clusterrole and reload the console, the editor becomes writable (and editing via the CLI becomes possible).

So it sounds like the bug is that the editor in the "Create" page should rely on the `create` verb rather than `update`/`patch`.

--- Additional comment from spadgett on 2021-03-22 18:46:49 UTC ---

Yeah, I see the problem. You're right: we're incorrectly checking update permission when creating a resource via the YAML editor.
Comment 5 Yanping Zhang 2021-05-12 06:33:31 UTC 
The fix pr test has passed before merge, and the pr has been included in 4.7.0-0.nightly-2021-05-12-004740. So move the bug to Verified.
Comment 7 errata-xmlrpc 2021-05-19 15:15:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.7.11 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1550