Bug 1663815
| Summary: | [admin]Common user could not browse catalog page | ||||||
|---|---|---|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Yanping Zhang <yanpzhan> | ||||
| Component: | Management Console | Assignee: | Samuel Padgett <spadgett> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Yadan Pei <yapei> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 4.1.0 | CC: | amerdler, aos-bugs, ecordell, jokerman, mmccomas, spadgett | ||||
| Target Milestone: | --- | ||||||
| Target Release: | 4.1.0 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2019-03-04 13:26:38 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Yanping Zhang
2019-01-07 07:21:01 UTC
This is expected behavior. "Common user" just needs a binding to the `global-operators-admin` clusterrole, which grants RBAC to interact with every Operator-provided CRD that is included in the `global-operators` OperatorGroup. Code: https://github.com/operator-framework/operator-lifecycle-manager/blob/master/pkg/controller/operators/olm/operatorgroup.go#L76 This page needs to work for a normal user in a default 4.0 install. We either need to fix the out-of-the-box RBAC or change the console so the page doesn't fail on these resources. Cluster version is 4.0.0-0.nightly-2019-01-23-024459 console image: registry.svc.ci.openshift.org/ocp/4.0-art-latest-2019-01-23-024459@sha256 271fd5e5d37e31b1beb4ad0921d2471055091b59adef5352f34c114e0770f246 cecead28e49e 9 hours ago 261 MB console repo commit id: "7691a636d58a291886eec42367bae74fee49a902" Checked on ocp 4.0 env with above version, login console with common user, in user's project, browse catalog under "Catalog"->"Developer Catalog". There is no catalog listed. It still shows error info: clusterserviceversions.operators.coreos.com is forbidden: User "yanpzhan2" cannot list clusterserviceversions.operators.coreos.com in the namespace "prozyp1": no RBAC policy matched > User "yanpzhan" cannot list clusterserviceversions.operators.coreos.com at the cluster scope: no RBAC policy matched"
We don't give access to list csvs at the cluster scope to common users. Shouldn't the UI only be requesting CSVs in the current project?
Evan, console has been updated to only requesting CSVs in the current project, but it's still an issue. Created attachment 1524202 [details]
RBAC error message
4.0.0-0.nightly-2019-02-25-194625 console image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1e41c422fdc28077cb7d633b66c944ee8d2ed1fccf6b1cf5680fc2e7375aad7e console commit id: f5ece4233a4b3b8b6c5f6a2367a9489ce9247ce0 Checked on "Catalog"->"Developer catalogs" page, normal user could see catalog items now. Seems the issue has been fixed, pls help to check, if so, the bug could be verified. Pls help to check if the fix is already in and could move the bug to ON_QA, then I can verify the bug. 4.0.0-0.nightly-2019-02-28-054829 console commit id: d10fb8b637562015a0c704e72855e2d0c318783c Checked again on ocp 4.0 env with above version info, normal user could access catalog page successfully now. Move the bug to Verified. The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |