1732087 – The button on the OpenShift console for editing the configmap gets disabled after removing the resourceNames

Bug 1732087 - The button on the OpenShift console for editing the configmap gets disabled after removing the resourceNames

Summary: The button on the OpenShift console for editing the configmap gets disabled a...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Management Console
Sub Component:
Version:	3.11.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	4.2.0
Assignee:	Samuel Padgett
QA Contact:	Yadan Pei
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-07-22 16:45 UTC by Saurabh Sadhale
Modified:	2019-10-16 06:30 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	Previously, the web console did not handle access control checks for resources when permission was given for a specific resource by name rather than all resources by type. This meant that the resource would be read-only in the UI, and you would have to edit the resource using the oc command. This has been addressed in 4.2. The web console now more accurately handles permissions, performing self-subject access reviews on individual resources.
Clone Of:
Environment:
Last Closed:	2019-10-16 06:30:16 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:2922	0	None	None	None	2019-10-16 06:30:35 UTC

Comment 1 Samuel Padgett 2019-07-23 12:00:36 UTC

This is a limitation of how we performed RBAC checks in 3.11. It has been addressed in OpenShift 4.2 where we have switched to SelfSubjectAccessReview requests for more precise checks.

https://github.com/openshift/console/pull/1559

Comment 4 Yanping Zhang 2019-07-24 08:37:06 UTC

4.2.0-0.nightly-2019-07-24-000310
console image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:f58dc76257ca8c4abf49c18cc982a529a0edbb797e921a4a7a02ad6909ac1112

Tried the scenario in comment 1 on ocp 4.2 env with above version with step:
1. Create the both the roles as mentioned in comment 1. 
2. Grant both the role to the user to view namespaces/projects and edit configmaps
3. Try logging in to the console and then try editing the configmap. Now the "Save" button on edit yaml page is enabled. Update content in the configmap, then click "Save", it succeeds.

Comment 7 errata-xmlrpc 2019-10-16 06:30:16 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922

Note You need to log in before you can comment on or make changes to this bug.