Bug 1671369 - RBAC error when using kubevirt-web-ui as non-admin/developer
Summary: RBAC error when using kubevirt-web-ui as non-admin/developer
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Container Native Virtualization (CNV)
Classification: Red Hat
Component: User Experience
Version: 1.4
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 1.4
Assignee: Rastislav Wagner
QA Contact: Radim Hrazdil
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-01-31 13:42 UTC by Steve Reichard
Modified: 2019-02-26 13:24 UTC (History)
6 users (show)

Fixed In Version: 1.4.0-13
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-02-26 13:24:18 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2019:0417 0 None None None 2019-02-26 13:24:23 UTC

Description Steve Reichard 2019-01-31 13:42:25 UTC 
Description of problem:

Using the kubevirt-web-ui, when I login as a non-admin user, developer - in my case, I get repeated errors.

The first I understand, since it is trying to look for VMs on all projects, would be nice if the login automatically limited to my projects.

After I do switch to my project, I see the following repeat - 
"{"response":{},"json":{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"virtualmachineinstancemigrations.kubevirt.io is forbidden: User \"developer\" cannot list virtualmachineinstancemigrations.kubevirt.io in the namespace \"dev\": no RBAC policy matched","reason":"Forbidden","details":{"group":"kubevirt.io","kind":"virtualmachineinstancemigrations"},"code":403}}"

Maybe this is an installation issue which the defualt policy needs to change, but have not seen issue using the cli.


Version-Release number of selected component (if applicable):

[root@ospha3 ~]# podman inspect brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cnv-tech-preview/kubevirt-web-ui:v1.4.0
[
    {
        "Id": "7b03e452a9fab72d334d3bd818eb50ac06d34c4c651cab38a07170a91812d9dd",
        "Digest": "sha256:393fa9d759dd5b4d53612ff83b9776f908911cee842e2d445652a4b8bf3a750a",
        "RepoTags": [
            "brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/cnv-tech-preview/kubevirt-web-ui:v1.4.0"
        ],
        "RepoDigests": [
            "brew-pulp-docker01.web.prod.ext.phx2.redhat.com@sha256:393fa9d759dd5b4d53612ff83b9776f908911cee842e2d445652a4b8bf3a750a"
        ],
        "Parent": "",
        "Comment": "",
        "Created": "2019-01-24T11:33:00.569814884Z",
        "ContainerConfig": {
            "User": "1001",
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "container=oci"
            ],
            "Cmd": [
                "/opt/bridge/bin/bridge",
                "--public-dir=/opt/bridge/static"
            ],
            "WorkingDir": "/",
            "Labels": {
                "License": "GPLv2+",
                "architecture": "x86_64",
                "authoritative-source-url": "registry.access.redhat.com",
                "build-date": "2019-01-24T11:26:00.975896",
                "com.redhat.build-host": "cpt-0001.osbs.prod.upshift.rdu2.redhat.com",
                "com.redhat.component": "kubevirt-web-ui-container",
                "description": "This is a component of OpenShift Container Platform and provides Kubevirt Web User Interface.",
                "distribution-scope": "public",
                "io.k8s.description": "This is a component of OpenShift Container Platform and provides Kubevirt Web User Interface.",
                "io.k8s.display-name": "Kubevirt Web UI",
                "io.openshift.build.commit.id": "dfc7ab24218f6e6e95ea30de6ef66e270b2a6de9",
                "io.openshift.build.commit.url": "https://github.com/openshift/ose/commit/dfc7ab24218f6e6e95ea30de6ef66e270b2a6de9",
                "io.openshift.build.source-location": "https://github.com/openshift/ose",
                "io.openshift.tags": "openshift,console,kubevirt,cnv",
                "maintainer": "Marek Libra <mlibra>",
                "name": "cnv-tech-preview/kubevirt-web-ui",
                "release": "11",
                "summary": "This is a component of OpenShift Container Platform and provides Kubevirt Web User Interface.",
                "url": "https://access.redhat.com/containers/#/registry.access.redhat.com/cnv-tech-preview/kubevirt-web-ui/images/v1.4.0-11",
                "vcs-ref": "e1a1b96ac05b7f90ad81bd842d44a95b390d03ce",
                "vcs-type": "git",
                "vendor": "Red Hat, Inc.",
                "version": "v1.4.0"
            }
        },
        "Version": "1.13.1",
        "Author": "",
        "Architecture": "amd64",
        "Os": "linux",
        "Size": 261028676,
        "VirtualSize": 261028676,
        "GraphDriver": {
            "Name": "overlay",
            "Data": {
                "LowerDir": "/var/lib/containers/storage/overlay/9d8f500d1b9a26b56287394f1b64dbe7d3f6f51857e9841d02f6b4ba9c7cda40/diff:/var/lib/containers/storage/overlay/4b0cbf0d9d0ff230916734a790f47ab2adba69db44a79c8eac4c814ff4183c6d/diff:/var/lib/containers/storage/overlay/9197342671da8b555f200e47df101da5b7e38f6d9573b10bd3295ca9e5c0ae28/diff",
                "MergedDir": "/var/lib/containers/storage/overlay/995dbf52a7c79c2605f6e82930dfba2aaa77321a3c2847f64edf8443540009fc/merged",
                "UpperDir": "/var/lib/containers/storage/overlay/995dbf52a7c79c2605f6e82930dfba2aaa77321a3c2847f64edf8443540009fc/diff",
                "WorkDir": "/var/lib/containers/storage/overlay/995dbf52a7c79c2605f6e82930dfba2aaa77321a3c2847f64edf8443540009fc/work"
            }
        },
        "RootFS": {
            "Type": "layers",
            "Layers": [
                "sha256:9197342671da8b555f200e47df101da5b7e38f6d9573b10bd3295ca9e5c0ae28",
                "sha256:0b7385461a2a5e9d7c164fd983e5f08f96ec5a42e260e5c2818191ac98ee723d",
                "sha256:614d94b19d91d03b602dc18e8fc2181d7ef4da1587f76620e9c112e5df467da9",
                "sha256:eeedfe8ca51f1f3e48090b9f28b5b6e2ee903e10dac740fff83469aacadb8937"
            ]
        },
        "Labels": {
            "License": "GPLv2+",
            "architecture": "x86_64",
            "authoritative-source-url": "registry.access.redhat.com",
            "build-date": "2019-01-24T11:26:00.975896",
            "com.redhat.build-host": "cpt-0001.osbs.prod.upshift.rdu2.redhat.com",
            "com.redhat.component": "kubevirt-web-ui-container",
            "description": "This is a component of OpenShift Container Platform and provides Kubevirt Web User Interface.",
            "distribution-scope": "public",
            "io.k8s.description": "This is a component of OpenShift Container Platform and provides Kubevirt Web User Interface.",
            "io.k8s.display-name": "Kubevirt Web UI",
            "io.openshift.build.commit.id": "dfc7ab24218f6e6e95ea30de6ef66e270b2a6de9",
            "io.openshift.build.commit.url": "https://github.com/openshift/ose/commit/dfc7ab24218f6e6e95ea30de6ef66e270b2a6de9",
            "io.openshift.build.source-location": "https://github.com/openshift/ose",
            "io.openshift.tags": "openshift,console,kubevirt,cnv",
            "maintainer": "Marek Libra <mlibra>",
            "name": "cnv-tech-preview/kubevirt-web-ui",
            "release": "11",
            "summary": "This is a component of OpenShift Container Platform and provides Kubevirt Web User Interface.",
            "url": "https://access.redhat.com/containers/#/registry.access.redhat.com/cnv-tech-preview/kubevirt-web-ui/images/v1.4.0-11",
            "vcs-ref": "e1a1b96ac05b7f90ad81bd842d44a95b390d03ce",
            "vcs-type": "git",
            "vendor": "Red Hat, Inc.",
            "version": "v1.4.0"
        },
        "Annotations": {},
        "ManifestType": "application/vnd.docker.distribution.manifest.v2+json",
        "User": "1001"
    }
]

[root@ospha3 ~]# 





How reproducible:

Has happened in 2 env for me


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Rastislav Wagner 2019-02-01 15:25:48 UTC 
https://github.com/kubevirt/web-ui/pull/193
Comment 4 Tomas Jelinek 2019-02-04 09:31:10 UTC 
proposing as blocker of 1.4
Comment 8 Radim Hrazdil 2019-02-11 14:04:07 UTC 
Verified that when user without proper permissions logs in, is presented with a link inviting to create a new project.
When the user attempts to access ns without access, the RBAC error is displayed in consistency with tectonic.
Version 1.4.0-13
Comment 11 errata-xmlrpc 2019-02-26 13:24:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:0417
Note You need to log in before you can comment on or make changes to this bug.