Description of problem: Ordinary users can't create VM or VMT with Wizard from the web console. The "Create Virtual Machine" or "Create Virtual Machine Template" page didn't show. Ordinary users can create VM or VMT via CLI. Version-Release number of selected component (if applicable): Bare Metal hco-bundle-registry:v2.0.0-29 How reproducible: 100% Steps to Reproduce: 1. Create an ordinary user with this script: https://raw.githubusercontent.com/cucushift/IDP/master/htpasswd.sh 2. Login web console as the ordinary user. 3. Create Virtual Machines with Wizard. 4. Create Virtual Machines from YAML. 5. Create Virtual Machine Templates with Wizard. 6. Switch to kubeadmin and repeat step 3 and 5. Actual results: 3. My Chrome was not responding. The "Create Virtual Machine" page didn't show. 4. Normal. 5. My Chrome was not responding. The "Create Virtual Machine Template" page didn't show. 6. Normal. Expected results: Ordinary users can create VM and VM Template with Wizard from the web console. Additional info: [root@dell-r730-028 ~]# oc whoami pm3 [root@dell-r730-028 ~]# oc auth can-i create vm yes [root@dell-r730-028 ~]# oc auth can-i start vm no [root@dell-r730-028 ~]# oc auth can-i restart vm no [root@dell-r730-028 ~]# oc auth can-i stop vm no [root@dell-r730-028 ~]# oc auth can-i delete vm yes
@Qixuan, what clusterRoles did you assign to the user? Edit or View? reference: https://kubevirt.io/user-guide/docs/latest/administration/authorization.html#kubevirt-default-rbac-clusterroles
@Tomas, There is a difference between our test case and the document, our case says user without admin role could not "interact with 'Create Virtual Machine' button, search field and others", the document says user with edit role should be able to create vm from the wizard. I think we need to review the policy for UI. Could you please clarify the permission for different roles on UI and QE might need to update the test case and re-test it. https://polarion.engineering.redhat.com/polarion/#/project/CNV/workitem?id=CNV-1718 https://kubevirt.io/user-guide/docs/latest/administration/authorization.html#kubevirt-default-rbac-clusterroles
(In reply to Guohua Ouyang from comment #2) > @Tomas, > There is a difference between our test case and the document, our case says > user without admin role could not "interact with 'Create Virtual Machine' > button, search field and others", the document says user with edit role > should be able to create vm from the wizard. I think we need to review the > policy for UI. > > Could you please clarify the permission for different roles on UI and QE > might need to update the test case and re-test it. > > https://polarion.engineering.redhat.com/polarion/#/project/CNV/ > workitem?id=CNV-1718 > https://kubevirt.io/user-guide/docs/latest/administration/authorization. > html#kubevirt-default-rbac-clusterroles It's based on it's ClusterRoleBinding or RoleBinding. If it's RoleBinding, user access permission is limited to the NS. If it's ClusterRoleBinding, users receive the permissions granted by the role across all namespaces.
(In reply to Guohua Ouyang from comment #2) > @Tomas, > There is a difference between our test case and the document, our case says > user without admin role could not "interact with 'Create Virtual Machine' > button, search field and others", the document says user with edit role > should be able to create vm from the wizard. I think we need to review the > policy for UI. they actually match. In the test case you have: 1: Navigate to VM in default namespace -> User should not be able to interact with 'Create Virtual Machine' button, search field and others. 2: Navigate to projects and create new namespace -> ... -> User should be able to create new a Virtual Machine (either using wizard or yaml) e.g. you need to have edit role on the namespace in which you want to create a VM. > > Could you please clarify the permission for different roles on UI and QE > might need to update the test case and re-test it. > > https://polarion.engineering.redhat.com/polarion/#/project/CNV/ > workitem?id=CNV-1718 > https://kubevirt.io/user-guide/docs/latest/administration/authorization. > html#kubevirt-default-rbac-clusterroles
https://github.com/kubevirt/web-ui/pull/409
The problem was that we were expecting list privileges of VMs in all namespaces. not relevant other observations: I tried your script and it also seems that you are missing roles for listing - virtualmachineinstancemigrations (impacts status in VM list). - network-attachment-definitions (impacts NAD selection in VM dialog / NICs)
(In reply to Guohua Ouyang from comment #1) > @Qixuan, what clusterRoles did you assign to the user? Edit or View? > > reference: > https://kubevirt.io/user-guide/docs/latest/administration/authorization. > html#kubevirt-default-rbac-clusterroles For OpenShift, if a namespace is created by a normal user with `oc new-project xxx`, then that normal user will be in the admin rolebindings of the namespace. It's implemented by projectrequest resource.
Verified the flow given in the description. kubevirt-web-ui-container-v2.0.0-14.8 HCO v2.0.0-33