Created attachment 1606368 [details] error_nonadmin Description of problem: Create a non-admin user, login with the user and create a project. Then try to use vm wizard, it pops up an error on the top of the browser and prevent the user to use the wizard. However, the project is created by non-admin user, it should be able to use the wizard. "virtualmachines.kubevirt.io is forbidden: User "test" cannot list resource "virtualmachines" in API group "kubevirt.io" at the cluster scope" Version-Release number of selected component (if applicable): hco-bundle-registry:v2.1.0-13 OpenShift Version 4.2.0-0.nightly-2019-08-15-073735 How reproducible: 100% Steps to Reproduce: 1. create a non-admin user 2. login with the user 3. create a project 4. go Workloads -> Virtual Machines 5. click "Create" Actual results: non-admin can not use vm wizard in its own project Expected results: non-admin can be able to use vm wizard in its own project Additional info: Steps to create a non-admin user: TESTHTPASSWD="./test.htpasswd" htpasswd -c -B -b ${TESTHTPASSWD} test test oc create secret generic test-htpass-secret --from-file=htpasswd=${TESTHTPASSWD} -n openshift-config cat <<EOF | kubectl create -f - apiVersion: config.openshift.io/v1 kind: OAuth metadata: name: cluster spec: identityProviders: - name: test mappingMethod: claim type: HTPasswd htpasswd: fileData: name: test-htpass-secret EOF
"virtualmachines.kubevirt.io is forbidden: User "test" cannot list resource "virtualmachines" in API group "kubevirt.io" at the cluster scope". The message is not correct as well, it's at the user's own project, not at the cluster scope.
"Create pod" is fine, so it's kubevirt-web-ui own issue.
For OCP objects like pods and deployments: If the user just have 'view' permission, the button 'Create Pod' is not showing at all. If the user have 'edit' permission, the button 'Create Pod' is there for using.
Now the error is 'network-attachment-definitions.k8s.cni.cncf.io is forbidden: User "test" cannot list resource "network-attachment-definitions" in API group "k8s.cni.cncf.io" in the namespace "test"', is it an environment issue or just another error need to be fixed? 4.2.0-0.nightly-2019-09-04-142146 HCO 2.1.0-29
Environment issue; list/watch rights are required for the resource mentioned in the namespace test.
It's the same error when run the same command from command line: $ oc whoami test $ oc get network-attachment-definitions Error from server (Forbidden): network-attachment-definitions.k8s.cni.cncf.io is forbidden: User "test" cannot list resource "network-attachment-definitions" in API group "k8s.cni.cncf.io" in the namespace "testv" The question is should the non-admin has the permission to list the resource "network-attachment-definitions"? If the answer is yes, then it's a virt bug. If it's no, then it should not try to list such resource on UI.
IMO they should have the permission to list network-attachment-definitions in their namespace, because they are needed for vm network interfaces
It makes sense, move the bug to cnv -> virt and set it to urgent as it affects UI.
Dan, is this a network op permission issue?
I believe that the remaining problem here is bug 1721444, which is no longer targeted to OCP-4.2, unfortunately. Filip, can you work around this in the UI, e.g by allowing the end user to type in the network-attachement-definition name in case she cannot list any?
> can you work around this in the UI, e.g by allowing the end user to > type in the network-attachement-definition name in case she cannot list any? Unfortunately it is too late for this now. It is an actual change in the design of the screen (e.g. not just a bugfix) and 2 days before the final freeze of the repo it is not possible to get such a change in.
@Tomas, Do you think is this a release blocker? Because the non-admin user cannot use the wizard at all.
@Federico, this is not fixable in one day. Our only hope is to convince OCP to fix underlying bug. This bug is horrible for our GUI, but I'm not sure it is a HTB blocker. @Tomas, is there a similar bug affecting Pod-related GUI? Having one may convince OCP to fix the underlying bug 1721444 in OCP-4.2.0.
@Dan the fix is not in something we ship in the CNV errata so this is not holding our release (AFAIK)? Do you want to reassign to the UI team so it's more evident?
moving back to UX for tracking or a workaround
(In reply to Dan Kenigsberg from comment #15) > @Federico, this is not fixable in one day. Our only hope is to convince OCP > to fix underlying bug. This bug is horrible for our GUI, but I'm not sure it > is a HTB blocker. > > @Tomas, is there a similar bug affecting Pod-related GUI? nope, they dont use this for pods.
In CNV 2.3 the problem is not anymore that you can not open the wizard. Only that if you do not have access to the NADs, you will not be able to list them meaning will not be able to create a secondary NIC. That is an expected behavior, would not block OCP on it, lowering priority.
no need to track it separately, marking it as duplicate. *** This bug has been marked as a duplicate of bug 1721444 ***