1758628 – Console workload show restricted acccess if knative serverless TP1 operator is installed and logged in as non admin

Bug 1758628 - Console workload show restricted acccess if knative serverless TP1 operator is installed and logged in as non admin

Summary: Console workload show restricted acccess if knative serverless TP1 operator i...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Dev Console
Sub Component:
Version:	4.2.0
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	4.3.0
Assignee:	Jaivardhan Kumar
QA Contact:	spathak@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1760044
TreeView+	depends on / blocked

Reported:	2019-10-04 16:13 UTC by Jaivardhan Kumar
Modified:	2020-05-13 21:26 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: In Overview, we are consuming sidebar resources via extension utils and first check is if knative CRDs are present then check is based on the key as in knative specific resources "configurations" and in current code, issue was even if knative resources were not present but utils returned { configurations: [] }. The non-admin user won't even be able to view workloads under-console as firehose fetches knative specific resources and results in 403 Consequence: For kubeadmin in case of normal deployments and as in sidebar it identifies configurations and knative operator is installed so treated it as knative resource i.e configurations, Revisions, routes. For the non-admin user, it shows Permission issue if user tries to view workloads in console Fix: with added check in case of no configurations found will return undefined, so will not add any knative specific resources in overviewitems. For fetching resources via firehose add key "option:true" to make it non required Result: Overview sidebar resources work as expected in case of normal deployment and knative specific deployment. A non-admin user can view the workloads.
Clone Of:
Clones:	1760044 (view as bug list)
Environment:
Last Closed:	2020-05-13 21:26:54 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Showing restricted access on console workloads (56.86 KB, image/png) 2019-10-04 16:13 UTC, Jaivardhan Kumar	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift console pull 2905	0	None	closed	Bug 1758628: Console workload show restricted acccess if knative serverless TP1 operator is installed and logged in as n...	2020-04-21 02:01:18 UTC
Red Hat Product Errata	RHBA-2020:0062	0	None	None	None	2020-05-13 21:26:57 UTC

Internal Links: 1760044

Description Jaivardhan Kumar 2019-10-04 16:13:03 UTC

Created attachment 1622598 [details]
Showing restricted access on console workloads

Description of problem:
Non project admin uer i.e normal httpd user won't be able to view workloads under console when knative serverless tech preview 1 operator is installed. Sidebar resources list resources as per kknative resource. Even though the deployment selected in the workloads view is not a knative workload, the sidebar is showing the resource list for knative resources.

Version-Release number of selected component (if applicable):4.2


How reproducible:
1. Install knative serverless TP1 operator (1.0.0), follow https://docs.openshift.com/container-platform/4.1/serverless/installing-openshift-serverless.html
1. create a non-admin user i.e normal httpd user
2. This can be observed by going to the openshift-console project -> workloads tab


Steps to Reproduce:
1. Create a non admin user i.e normal httpd user
2. This can be observed by going to the openshift-console project -> workloads tab
3. If logged in as "kubeadmin" can see deployments and Then click on the first deployment.

Actual results:
1. Workloads will show restricted access if logged in via non-admin user.
2. Selection of deployments on workloads will show incorrect resources if logged in with kubeadmin 

Expected results:
1. Workloads should list deploymets if logged in via non-admin user.
2. Selection of deployments on workloads will show correct resources if logged in with kubeadmin 


Additional info:

Comment 1 W. Trevor King 2019-10-04 20:33:56 UTC

Setting the target release to 4.3.0, since we try to fix things in master first and 4.3 is where master is currently pointing.  Once this gets addressed there it can be cloned back to 4.2.z if that seems appropriate.

Comment 2 spathak@redhat.com 2019-10-09 14:07:51 UTC

I've verified the following scenario:
1. I installed knative tp1 and logged in as a non-admin 
2. I went openshift-console project -> workloads tab
3. I was able to see deployments and in the deployments able to see routes also.

Comment 4 Ruchir Garg 2019-10-09 14:40:15 UTC

Reassigning to Sanket Pathak for verification.

Comment 5 Ruchir Garg 2019-10-09 14:57:28 UTC

Ressigning to Jaivardhan Kumar for access to the docs field.

Comment 7 errata-xmlrpc 2020-05-13 21:26:54 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0062

Note You need to log in before you can comment on or make changes to this bug.