Bug 1530162 - Viewer should be able to view and process template for external creation flow
Summary: Viewer should be able to view and process template for external creation flow
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 3.9.0
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: ---
: 3.9.0
Assignee: Robb Hamilton
QA Contact: Yadan Pei
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-02 08:04 UTC by Yadan Pei
Modified: 2018-03-27 09:44 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: The UI did not validate whether or not a user had permissions to create in a selected project during step one of create from URL. Consequence: If the user did not have permission to create in the selected project, a somewhat confusing error occurred upon clicking the next button as the form was considered valid since a project had been selected, but the user did not have permissions to create in the selected project. Fix: Upon selecting a project, the form now checks to see if the user has permissions to add the the project; if not, an inline error message is displayed. Result: The user is given immediate feedback if (s)he does not have permission to create in a selected project.
Clone Of:
Environment:
Last Closed: 2018-01-24 15:56:09 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0489 0 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.9 RPM Release Advisory 2018-03-28 18:06:38 UTC

Description Yadan Pei 2018-01-02 08:04:36 UTC 
Description of problem:
viewer should be granted the permission to go on to view and process template when he is on external creation from template flow. 

Version-Release number of selected component (if applicable):
v3.9.0-0.9.0

How reproducible:
Always

Steps to Reproduce:
1.Cluster admin create template under openshift
$ oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/templates/ui/application-template-stibuild-without-customize-route.json --config=<admin.config>
2.User1 create project and add view role to user2
$ oc new-project test
$ oc policy add-role-to-user view user2 -n test
3.User2 login to web console and access create from template external page
https://<master>/console/create?template=ruby-helloworld-sample&templateParamsMap={%22ADMIN_USERNAME%22:%22adminuser%22}
4.Select project "test" in Choose Existing Project
5.Click Next

Actual results:
5.Error occured with message:
Error
Access denied
You do not have authority to process templates in project test.

Expected results:
5. User2 should be able to go on after click "Next" to view and process the template until he hit "Create",user2 don't have permission to create resources processed from template "ruby-helloworld-sample" in project "test" since user2 is viewer, thus he will get error message.

Additional info:
Comment 1 Jessica Forrester 2018-01-02 13:22:23 UTC 
I'm pretty sure this was the intentional design so that the user doesn't start filling out a form they won't be able to submit. The user does not have the authority to process templates in that namespace, we have to flag that somewhere. We could potentially do better and warn them at the point where they selected the project. Similar to what we are now doing in the new add to project dialogs.
Comment 2 Robb Hamilton 2018-01-02 17:35:39 UTC 
For what it's worth, the behavior is consistent with the old catalog (e.g., /project/user1project/create) as create from url simply advances the user in to the old catalog create flow.  I wonder if the simple fix is to remove view-only projects from create from url's choose existing project dropdown (or disable them in the dropdown).  If you can't create in the project, no point letting you select the project?
Comment 3 Samuel Padgett 2018-01-02 17:43:08 UTC 
It's an expensive check. If you have a lot of projects, it's not practical to filter the list up front unfortunately.
Comment 4 Yadan Pei 2018-01-03 01:35:26 UTC 
We found the inconsistent behavior in automation testing, in OCP 3.7, viewer was able to go on to fill out the form and get error "An error occurred processing the template" when he submit the creation.

It is better if we could keep consistent behavior?
Comment 5 Samuel Padgett 2018-01-03 14:14:32 UTC 
I see the message "You are not authorized to add to this project." with the "Create" button disabled in the new 3.7 template dialog. Is that not what you see?
Comment 6 Robb Hamilton 2018-01-03 15:11:40 UTC 
PR to resolve: https://github.com/openshift/origin-web-console/pull/2622
Comment 7 Yadan Pei 2018-01-04 01:44:03 UTC 
(In reply to Samuel Padgett from comment #5)
> I see the message "You are not authorized to add to this project." with the
> "Create" button disabled in the new 3.7 template dialog. Is that not what
> you see?

Attached gif is what I see when creating from url with viewer
Comment 10 Samuel Padgett 2018-01-04 13:39:32 UTC 
Robb's fix from comment #6 should make the two consistent where you see the error when picking the project.
Comment 11 Yadan Pei 2018-01-05 01:21:52 UTC 
Yeah, I will give a test after getting a testable puddle
Comment 13 Yadan Pei 2018-01-23 02:22:56 UTC 
Same issue with bug 1510786

Move to VERIFIED
Note You need to log in before you can comment on or make changes to this bug.