Bug 1671605 - Should disable Machine Sets,Machine Deployments, Machines, Opertor Management pages for non cluster admin user
Summary: Should disable Machine Sets,Machine Deployments, Machines, Opertor Management...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.1.0
Assignee: Samuel Padgett
QA Contact: shahan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-02-01 03:25 UTC by Yadan Pei
Modified: 2019-03-12 14:24 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-02-18 14:03:43 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Yadan Pei 2019-02-01 03:25:20 UTC 
Description of problem:
For normal user, we should disable these pages which is accessible only for cluster admin users

Version-Release number of selected component (if applicable):
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.0.0-0.nightly-2019-01-30-174704   True        False         19h     Cluster version is 4.0.0-0.nightly-2019-01-30-174704
$ oc get pods openshift-console-5fffb6b94c-dzvl7 -n openshift-console -o yaml | grep -i image
    image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:15e692baf631d6ea5917e233dd3d44b70ea90bacdd5d82bf619f5f6545065752
$ oc image info quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:15e692baf631d6ea5917e233dd3d44b70ea90bacdd5d82bf619f5f6545065752
          io.openshift.build.commit.id=af38affc1ff1e86188a19dcd52157c4d76707cdc
             io.openshift.build.commit.url=https://github.com/openshift/console/commit/af38affc1ff1e86188a19dcd52157c4d76707cdc
             io.openshift.build.source-location=https://github.com/openshift/console

How reproducible:
Always

Steps to Reproduce:
1. Normal user login to admin console
2. Navigate to these pages
Administration -> Machine Sets
Administration -> Machine Deployments
Administration -> Machines
Catalog -> Operator Management


Actual results:
2. normal user is not able to these pages and got forbidden error


Expected results:
2. We should disable these pages which only cluster admin can access

Additional info:
Comment 1 Samuel Padgett 2019-02-01 15:06:19 UTC 
This is really tricky since machines are namespaced resources. It is difficult to know whether a user can create or view machines in *any* namespace, and we don't have a good way to handle RBAC for namespaced resources today the way the nav works.

We could potentially check if the user can list machines specifically in the `openshift-cluster-api` namespace, although it would be possible to incorrectly hide the nav items in that case.
Comment 3 Samuel Padgett 2019-02-05 14:41:16 UTC 
The following PR hides Machines from normal users:

https://github.com/openshift/console/pull/1166

I believe Operator Management *should* be visible for normal users. That is the same underlying problems as Bug 1663815.
Comment 4 Samuel Padgett 2019-02-08 18:23:51 UTC 
The PR that merged fixes the Machines nav section. We will look at operators under Bug 1663815.
Comment 5 shahan 2019-02-12 06:43:56 UTC 
Machine Sets,Machine Deployments, Machines, Opertor Management pages are invisible for normal users.
console commits: e267fcf4e177da5858c5c63d021d4f19f71646b8
cluster version: 4.0.0-0.alpha-2019-02-11-201342
verified this bug.
Note You need to log in before you can comment on or make changes to this bug.