Bug 2031705

Summary: [GSS] OBC is not visible by admin of a Project on Console
Product: [Red Hat Storage] Red Hat OpenShift Data Foundation Reporter: Priya Pandey <prpandey>
Component: Multi-Cloud Object GatewayAssignee: Alexander Indenbaum <aindenba>
Status: CLOSED ERRATA QA Contact: Mugdha Soni <musoni>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.8CC: ableisch, aindenba, aos-bugs, asagare, badhikar, dzaken, ebenahar, etamir, kdoberst, muagarwa, musoni, nbecker, nthomas, ocs-bugs, odf-bz-bot, skatiyar, tdesala
Target Milestone: ---Flags: prpandey: needinfo+
Target Release: ODF 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 4.10.0-128 Doc Type: Bug Fix
Doc Text:
Cause: The authenticated user in the UI does not have permission to read NooBaa and BucketClass resources Consequence: ODF UI can not list OBC Fix: Added a role/service account noobaa-odf-ui that grants permissions to read NooBaa and BucketClass resources https://github.com/noobaa/noobaa-operator/pull/827 Result: The user can bind any user to this role to fix the OBC list issue
 Story Points: ---
Clone Of:
: 2039781 (view as bug list) Environment:
Last Closed: 2022-04-13 18:50:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2039781    

Description Priya Pandey 2021-12-13 09:58:23 UTC 
Description of problem:

- The Object Bucket Claim is not Visible on the OCP console although the OBC is visible on CLI with the same user. 


Version-Release number of selected component (if applicable):

Prior to OCP v4.8

How reproducible:

- Create a user in the cluster

- Add admin role to the user of a namespace.

- Verify the access to resources from CLI and Console.


Steps to Reproduce:

1. Create a user and a project
2. Add admin role to this user of the project
3. Verify the access of OBC from CLI and Console.

Actual results:

- The user is not able to see the OBC resource from the Console.

Expected results:

- The user should be able to see the OBC from Console if it can create/list OBC from CLI.

Additional info:

In the next comments.
Comment 19 Danny 2022-01-05 12:08:05 UTC 
@prpandey @skatiyar any reason there are cephcluster and storagecluster permissions in the example role? we can provide a role for accessing bucket-classes, but if other non-noobaa permissions are required then I don't think this role should be created by noobaa
Comment 25 Mugdha Soni 2022-02-17 10:32:38 UTC 
Hi 

**Tested with the following builds :-

OCP :- 4.10.0-0.nightly-2022-02-16-171622
ODF :- 4.10.0-156


** Steps performed for validation of the fix :-

(a) Created a user named "tom"and project "test".
(b) Added admin role to this user of the project.
(c) Validated the access of OBC from CLI and Console.

** OBSERVATIONS :-

(a) The role "mcg-operator.v4.10.0-noobaa-odf-ui-dc8bf97cd" was automatically created by noobaa.
(b) After passing the rolebinding.yaml as mentioned below , the OBC section was present under Storage in UI .

[root@localhost mcg-3]# cat RoleBinding.yaml 
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ui-roles-binding
  namespace: openshift-storage
subjects:
  - kind: User
    apiGroup: rbac.authorization.k8s.io
# Change this to the user who requires to access OBC page
    name: tom
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: mcg-operator.v4.10.0-noobaa-odf-ui-dc8bf97cd

(c) User was able to create and list OBC in UI under cli as well .

[root@localhost mcg-3]# oc get obc -n test
NAME             STORAGE-CLASS                 PHASE   AGE
my-test-bucket   openshift-storage.noobaa.io   Bound   3m31s

Screenshots of the observations are mentioned here "https://docs.google.com/document/d/1pWRjjwGkcgq-8p_tDgwKCGPMIrM7CVp8nA2Xe0sbUSY/edit?usp=sharing".

Moving this bug to verified state .

Thanks 
Mugdha
Comment 32 errata-xmlrpc 2022-04-13 18:50:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat OpenShift Data Foundation 4.10.0 enhancement, security & bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:1372
Comment 34 avdhoot 2022-08-09 11:53:54 UTC 
Hi @prpandey , @musoni , @skatiyar 

During Automating this BZ I come across below observation.

I have created user using htpasswd method and login into new created user. here I observed that
in storage dropdown I am able to see OBC option without giving admin access to user.

Is this expected behavior?
Comment 35 Sanjal Katiyar 2022-08-16 12:18:53 UTC 
Hi,
I have tested it many times, once more time just now on:
OCP: 4.11.0-0.nightly-2022-08-15-152346
ODF: 4.11 (latest)
I can only see OBC option after creating a RoleBinding. Not sure why u r seeing it without that.

But, assuming that it is present, this should not be an issue IMO.
Comment 36 Red Hat Bugzilla 2023-12-08 04:27:02 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days