Description of problem: Login console with common user, after create new project, click "Browse Catalog", it jumps to "Catalog"->"Developer Catalog" page, but usee could not see catalogs, error info is here: "clusterserviceversions.operators.coreos.com is forbidden: User "yanpzhan" cannot list clusterserviceversions.operators.coreos.com at the cluster scope: no RBAC policy matched" Version-Release number of selected component (if applicable): registry.svc.ci.openshift.org/openshift/origin-v4.0-2019-01-06-163602@sha256 86f6104f0b2d69a5c0133fa92f2325bbc78c398ba1000f10927f3a9d3b36e792 7f8e4a1588a2 2 weeks ago 268 MB console repo commit id: c7f598d85ba30c2a8347885d66e44d2c8be448f5 How reproducible: Always Steps to Reproduce: 1.Login console with common user. 2.Create new project, then click "Browse Catalog" button on project overview page. 3. Actual results: 2. It jumps to "Catalog"->"Developer Catalog" page, but user could not see catalogs. Expected results: 2. Common user should be able to see catalogs. Additional info: Cluster admin could see catalogs.
This is expected behavior. "Common user" just needs a binding to the `global-operators-admin` clusterrole, which grants RBAC to interact with every Operator-provided CRD that is included in the `global-operators` OperatorGroup. Code: https://github.com/operator-framework/operator-lifecycle-manager/blob/master/pkg/controller/operators/olm/operatorgroup.go#L76
This page needs to work for a normal user in a default 4.0 install. We either need to fix the out-of-the-box RBAC or change the console so the page doesn't fail on these resources.
https://github.com/openshift/console/pull/1121
Cluster version is 4.0.0-0.nightly-2019-01-23-024459 console image: registry.svc.ci.openshift.org/ocp/4.0-art-latest-2019-01-23-024459@sha256 271fd5e5d37e31b1beb4ad0921d2471055091b59adef5352f34c114e0770f246 cecead28e49e 9 hours ago 261 MB console repo commit id: "7691a636d58a291886eec42367bae74fee49a902" Checked on ocp 4.0 env with above version, login console with common user, in user's project, browse catalog under "Catalog"->"Developer Catalog". There is no catalog listed. It still shows error info: clusterserviceversions.operators.coreos.com is forbidden: User "yanpzhan2" cannot list clusterserviceversions.operators.coreos.com in the namespace "prozyp1": no RBAC policy matched
> User "yanpzhan" cannot list clusterserviceversions.operators.coreos.com at the cluster scope: no RBAC policy matched" We don't give access to list csvs at the cluster scope to common users. Shouldn't the UI only be requesting CSVs in the current project?
Evan, console has been updated to only requesting CSVs in the current project, but it's still an issue.
Created attachment 1524202 [details] RBAC error message
4.0.0-0.nightly-2019-02-25-194625 console image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1e41c422fdc28077cb7d633b66c944ee8d2ed1fccf6b1cf5680fc2e7375aad7e console commit id: f5ece4233a4b3b8b6c5f6a2367a9489ce9247ce0 Checked on "Catalog"->"Developer catalogs" page, normal user could see catalog items now. Seems the issue has been fixed, pls help to check, if so, the bug could be verified.
Pls help to check if the fix is already in and could move the bug to ON_QA, then I can verify the bug.
4.0.0-0.nightly-2019-02-28-054829 console commit id: d10fb8b637562015a0c704e72855e2d0c318783c Checked again on ocp 4.0 env with above version info, normal user could access catalog page successfully now. Move the bug to Verified.
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days