Bug 1671605
| Summary: | Should disable Machine Sets,Machine Deployments, Machines, Opertor Management pages for non cluster admin user | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Yadan Pei <yapei> |
| Component: | Management Console | Assignee: | Samuel Padgett <spadgett> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | shahan <hasha> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.1.0 | CC: | aos-bugs, jokerman, mmccomas, wsun |
| Target Milestone: | --- | ||
| Target Release: | 4.1.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-02-18 14:03:43 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This is really tricky since machines are namespaced resources. It is difficult to know whether a user can create or view machines in *any* namespace, and we don't have a good way to handle RBAC for namespaced resources today the way the nav works. We could potentially check if the user can list machines specifically in the `openshift-cluster-api` namespace, although it would be possible to incorrectly hide the nav items in that case. The following PR hides Machines from normal users: https://github.com/openshift/console/pull/1166 I believe Operator Management *should* be visible for normal users. That is the same underlying problems as Bug 1663815. The PR that merged fixes the Machines nav section. We will look at operators under Bug 1663815. Machine Sets,Machine Deployments, Machines, Opertor Management pages are invisible for normal users. console commits: e267fcf4e177da5858c5c63d021d4f19f71646b8 cluster version: 4.0.0-0.alpha-2019-02-11-201342 verified this bug. |
Description of problem: For normal user, we should disable these pages which is accessible only for cluster admin users Version-Release number of selected component (if applicable): $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.0.0-0.nightly-2019-01-30-174704 True False 19h Cluster version is 4.0.0-0.nightly-2019-01-30-174704 $ oc get pods openshift-console-5fffb6b94c-dzvl7 -n openshift-console -o yaml | grep -i image image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:15e692baf631d6ea5917e233dd3d44b70ea90bacdd5d82bf619f5f6545065752 $ oc image info quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:15e692baf631d6ea5917e233dd3d44b70ea90bacdd5d82bf619f5f6545065752 io.openshift.build.commit.id=af38affc1ff1e86188a19dcd52157c4d76707cdc io.openshift.build.commit.url=https://github.com/openshift/console/commit/af38affc1ff1e86188a19dcd52157c4d76707cdc io.openshift.build.source-location=https://github.com/openshift/console How reproducible: Always Steps to Reproduce: 1. Normal user login to admin console 2. Navigate to these pages Administration -> Machine Sets Administration -> Machine Deployments Administration -> Machines Catalog -> Operator Management Actual results: 2. normal user is not able to these pages and got forbidden error Expected results: 2. We should disable these pages which only cluster admin can access Additional info: