Bug 2081295

Hi,
not listing "openshift" for non-priv users that can access resources on "openshift" (e.g. common templates) creates a UI bug

we can solve this for the UI by:
a - make openshift namespace discoverable for non admins (when they can list resources in it)
b - deploying common templates on another namespace, one the UI can discover.

cc:// @aturgema @tnisan

Hi, thanks,

More information:

A. I'm using QE cluster, with a test user created using OAuth
```
apiVersion: config.openshift.io/v1
kind: OAuth
...
spec:
  identityProviders:
    - htpasswd:

```

B. test user can't list namespaces

$oc get namespaces
Error from server (Forbidden): namespaces is forbidden: User "test" cannot list resource "namespaces" in API group "" at the cluster scope

$ oc get projects
NAME                                 DISPLAY NAME   STATUS
openshift-virtualization-os-images                  Active
test-2                                              Active
test-aviv                                           Active

Could see this issue in all QE clusters.
What's the consequence of this problem? For a regular user, after creates its own project, the user can see common templates and able to create VM.

Why this is a bug?
Regular (non-admin) user can list the templates under the "openshift" namespace/project, thanks to "shared-resource-viewer" Role and RoleBinding targeting "system:authenticated" user group, which is created in OCP by default.
Regular users are not allowed by design to list *all* of the projects in the cluster, but just the projects they own (and openshift-virtualization-os-images which the permission for it was added by SSP).
Therefore, regular users don't need a "list" permissions for openshift project to list the templates under that project.

These are the default permissions for a regular user at the openshift project:
rules:
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ''
      - template.openshift.io
    resources:
      - templates
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ''
      - image.openshift.io
    resources:
      - imagestreamimages
      - imagestreams
      - imagestreamtags
      - imagetags
  - verbs:
      - get
    apiGroups:
      - ''
      - image.openshift.io
    resources:
      - imagestreams/layers
  - verbs:
      - get
    apiGroups:
      - ''
    resources:
      - configmaps

(In reply to Oren Cohen from comment #7)
> Why this is a bug?

a. the UI does not allow to get objects from namespace/project that it can't list 
   when listing an object in the UI you need to choose the namespace from a dropdown list, and if the namespace you need is not listed, the UI will not let you list objects

b. in the case of templates, our algorithm for getting "all available templates" goes like that:
   1. get all available namespaces                   (using user RBAC)
   2. try to get templates from each namespace       (using user RBAC)
   3. show users all templates found in the cluster they can see.

   if "openshift" is not listed, we are missing all templates listed under that namespace


> What's the consequence of this problem? For a regular user, after creates its own project, the user can see common templates and able to create VM.

we are currently using a workaround where we manually adding "openshift" to the list of discovered namespaces, this is problematic for us because -
1. the UI should just relay on RBAC rules, keeping lists of special namespaces is something we would like to avoid.
2. the VM wizard works, but other parts of the UI that do not have this workaround will fail to list templates from "openshift"

Hi, moving to Openshift config operator, I don't know what team is responsible to setting the "openshift" project RBAC rules, please move to correct component if needed.

TL;DR:
Can we list "openshift" when a non privileged user list all projects they can access,
e.g. can "oc get projects" list also "openshift" if user can access this namespace?


Summary of issue:

a non privileged user can list templates on "openshift" project
a non privileged user can not see "openshift" project when listing all projects

This is a problem for "kubevirt-console-plugin" because when searching for all templates we do:
a - get all projects
b - try to list templates from each project found in step a

if a user can access templates in a project, but can't list this project our method is broken.

we are currently adding "openshift" in hardcoded way.

A user is allowed to have any arbitrary privileges in namespaces they don't directly control - not a platform bug.

> This is a problem for "kubevirt-console-plugin" because when searching for all templates we do:
> a - get all projects
> b - try to list templates from each project found in step a

In that case you have a bug in your console plugin. See https://github.com/openshift/openshift-apiserver/blob/5eabbaacd9c401192947c053672d71516dd3db34/pkg/project/auth/cache.go#L203-L204 how to list user projects correctly.

@slaznick  is there a way to get namespaces not listed in which there are resources?
For example, openshift is not in the list but the user has access to templates. 
Can this happen with other namespaces with other resources?
How can I get those templates without knowing a prior that they are in the openshift namespace? 
Without putting 'special cases' in the code

> Can this happen with other namespaces with other resources?

As I mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=2081295#c11 -> A user is allowed to have any arbitrary privileges in namespaces they don't directly control

> How can I get those templates without knowing a prior that they are in the openshift namespace?

You try to list them and see if they are present? That of course only works if you know the name of the NS. There're a few platform namespaces that you can rely on existing. The rest I suppose is about conventions inside the cluster/product you're working with.