Description of problem: Even after removing service catalog, "Provisioned Services" in Applications sub-menu is not removed and gets stuck at "Loading...". This is applicable for all projects including the new ones. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Install OCP 3.7 with service catalog 2. Remove service catalog as below: # ansible-playbook -i hosts openshift-ansible/playbooks/byo/openshift-cluster/service-catalog.yml -e template_service_broker_remove=true -e template_service_broker_install=false -e ansible_service_broker_remove=true -e openshift_service_catalog_remove=true -e ansible_service_broker_install=false Actual results: "Provisioned Services" is not removed from Applications sub-menu in the web interface and it gets stuck at "Loading...". Expected results: "Provisioned Services" should be removed.
The underlying problem is that the web console checks whether the user has authority to list service instances to decide when to show the menu. Since that access is not removed from `edit` and `view` cluster roles on service catalog uninstall, the menu item is still visible. As a workaround, it's possible to edit the `edit` and `view` clusterroles to remove `list` from resource `servicecatalog.k8s.io/serviceinstances`. We should fix the console to check that the resource exists and only add the menu when it does.
3.9 fix: https://github.com/openshift/origin-web-console/pull/2854
Commits pushed to master at https://github.com/openshift/origin-web-console https://github.com/openshift/origin-web-console/commit/c5cca3d41e48360a5ffa92ae31a3eb2a4bfa43e8 Bug 1549097 - Update nav canI check Check if the resource exists and if you have permission in navigation canI checks. This avoids a problem where the resource has been removed, but a role still grants access to the removed resource. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1549097 https://github.com/openshift/origin-web-console/commit/c2c57a691390f80d7c12bb7f055302db989b0a42 Merge pull request #2854 from spadgett/nav-api-info-check Automatic merge from submit-queue. Bug 1549097 - Update nav canI check Check if the resource exists and if you have permission in navigation canI checks. This avoids a problem where the resource has been removed, but a role still grants access to the removed resource. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1549097 /assign @benjaminapetersen
3.7 fix: https://github.com/openshift/origin-web-console/pull/2855
3.8 fix: https://github.com/openshift/origin-web-console/pull/2856
Checked fixes on v3.7.35 1. Install OCP 3.7 with service catalog & TSB enabled 2. Provision some serviceinstances 3. Disable/Remove service catalog using ansible-playbook 4. Check "Provisioned Services" sub-menu on web console "Provisioned Services" sub-menu is removed too The issue is fixed on 3.7.z
PR 2854 is not included in v3.9.1 yet, will check in newer 3.9 puddle
Verified on v3.9.2 with same steps in comment 7, when service catalog is removed, "Provisioned Services" sub-menu is removed also. Move to VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0636