Bug 1732087 - The button on the OpenShift console for editing the configmap gets disabled after removing the resourceNames
Summary: The button on the OpenShift console for editing the configmap gets disabled a...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.2.0
Assignee: Samuel Padgett
QA Contact: Yadan Pei
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-22 16:45 UTC by Saurabh Sadhale
Modified: 2019-10-16 06:30 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Previously, the web console did not handle access control checks for resources when permission was given for a specific resource by name rather than all resources by type. This meant that the resource would be read-only in the UI, and you would have to edit the resource using the oc command. This has been addressed in 4.2. The web console now more accurately handles permissions, performing self-subject access reviews on individual resources.
Clone Of:
Environment:
Last Closed: 2019-10-16 06:30:16 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2922 None None None 2019-10-16 06:30:35 UTC

Comment 1 Samuel Padgett 2019-07-23 12:00:36 UTC
This is a limitation of how we performed RBAC checks in 3.11. It has been addressed in OpenShift 4.2 where we have switched to SelfSubjectAccessReview requests for more precise checks.

https://github.com/openshift/console/pull/1559

Comment 4 Yanping Zhang 2019-07-24 08:37:06 UTC
4.2.0-0.nightly-2019-07-24-000310
console image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:f58dc76257ca8c4abf49c18cc982a529a0edbb797e921a4a7a02ad6909ac1112

Tried the scenario in comment 1 on ocp 4.2 env with above version with step:
1. Create the both the roles as mentioned in comment 1. 
2. Grant both the role to the user to view namespaces/projects and edit configmaps
3. Try logging in to the console and then try editing the configmap. Now the "Save" button on edit yaml page is enabled. Update content in the configmap, then click "Save", it succeeds.

Comment 7 errata-xmlrpc 2019-10-16 06:30:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922


Note You need to log in before you can comment on or make changes to this bug.