1721016 – User with edit permission cannot list resource virtualmachineinstancemigrations

Bug 1721016 - User with edit permission cannot list resource virtualmachineinstancemigrations

Summary: User with edit permission cannot list resource virtualmachineinstancemigrations

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Container Native Virtualization (CNV)
Classification:	Red Hat
Component:	Virtualization
Sub Component:
Version:	2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	2.0
Assignee:	Marc Sluiter
QA Contact:	zhe peng
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-06-17 07:08 UTC by Guohua Ouyang
Modified:	2019-10-22 12:33 UTC (History)
CC List:	8 users (show)
Fixed In Version:	hco-bundle-registry-container-v2.0.0-32 virt-operator-container-v2.0.0-37
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-10-22 12:33:55 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Guohua Ouyang 2019-06-17 07:08:11 UTC

Description of problem:
login with a user withous admin permission.

$ oc get virtualmachineinstancemigrations
No resources found.
Error from server (Forbidden): virtualmachineinstancemigrations.kubevirt.io is forbidden: User "ghua" cannot list resource "virtualmachineinstancemigrations" in API group "kubevirt.io" in the namespace "default"

The error is also visible on UI when browsing project status.

Version-Release number of selected component (if applicable):
hco-26

How reproducible:
100%

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
The issue is very similar with https://bugzilla.redhat.com/show_bug.cgi?id=1720433.

Comment 1 Fabian Deutsch 2019-06-17 09:44:05 UTC

Marc, could this bug be similar to bug 1720433?

Comment 2 Marc Sluiter 2019-06-17 12:07:02 UTC

yes it is, incomplete RBAC rules for the new virtualmachineinstancemigration resource on the view/edit/admin cluster roles, will add them to the upstream PR https://github.com/kubevirt/kubevirt/pull/2391

Comment 3 Marc Sluiter 2019-06-19 16:35:35 UTC

upstream backport PR is merged: https://github.com/kubevirt/kubevirt/pull/2394

Comment 5 zhe peng 2019-07-04 07:20:31 UTC

verify with build hco-bundle-registry:v2.0.0-36

NAME                 UID                                    FULL NAME   IDENTITIES       
pm1                  0c9dd68e-9e23-11e9-b522-0a580a810033               htpassidp:pm1
pm2                  71c2fcfd-9e22-11e9-b522-0a580a810033               htpassidp:pm2

login as normal user
$oc whoami
pm2

$oc get virtualmachineinstancemigrations
NAME                        AGE
kubevirt-evacuation-fvcnr   12h
kubevirt-evacuation-s7757   13h

login webui with user pm2
no error when access project status

move to verified.

Note You need to log in before you can comment on or make changes to this bug.