+++ This bug was initially created as a clone of Bug #1728523 +++ Description of problem: Create a non-admin user, login with the non-admin user and try to access the vm page in a project like 'default'(change the ns in the URL), it can open the vm wizard and yaml dialog. The expectation is user should not be able to open the wizard and yaml in other namespace. If it's the yaml dialog, the default namespace is 'default', create vm from the yaml will pop up a forbidden error meessage. If it's the wizard dialog, it can only choose these namespace are available to the current user, continue with the wizard, it can create the vm successfully. Since user cannot navigate the project which is not available to him, user almost can't hit this issue. Version-Release number of selected component (if applicable): HCO-36 kubevirt-web-ui:v2.0.0-14.8 kubevirt:v0.17.4 How reproducible: 100% Steps to Reproduce: 1. create a non-admin user 2. login the non-admin user on ui 3. change the url to "https://kubevirt-web-ui.apps.working.oc4/k8s/ns/default/virtualmachines" 4. try to open vm wizard Actual results: The wizard is opened Expected results: Non admin user should not be able to use vm dialog in other namespace. Additional info: --- Additional comment from Nelly Credi on 2019-07-16 20:37:36 CST --- I wonder if its not an OCP issue. can we try it with other OCP objects? (pods) --- Additional comment from Guohua Ouyang on 2019-07-16 22:45:12 CST --- ya, it's the same behaviour on OCP objects, so this is not be a bug or let move it to OCP? --- Additional comment from Tomas Jelinek on 2019-07-16 23:13:14 CST --- please move it to OCP and add reproduction steps for a non-cnv specific object. --- Additional comment from Guohua Ouyang on 2019-07-17 10:55:25 CST --- Move this to OCP, consoleVersion":"v4.1.4-201906271212". Reproduce steps: 1. Create a non-admin user and login the web console with this user. 2. Change the NS which the non-admin user doesn't own it, like 'default' in the URL. 3. There is error 'pods is forbidden: User "test" cannot list resource "pods" in API group "" in the namespace "default"' shows in the page. 4. Click button 'Create Pod', the dialog is opened. My expectation on step 4 is the non-admin should not be able to use the the button "Create Pod" and the opened dialog. --- Additional comment from Samuel Padgett on 2019-07-19 18:46:02 CST --- This been addressed in 4.2 by https://github.com/openshift/console/pull/1559 --- Additional comment from errata-xmlrpc on 2019-07-19 19:39:34 CST --- Bug report changed to ON_QA status by Errata System. A QE request has been submitted for advisory RHBA-2019:43533-01 https://errata.devel.redhat.com/advisory/43533 --- Additional comment from Yadan Pei on 2019-07-23 18:10:02 CST --- When a non-admin user views workloads page of other projects via URL such as /k8s/ns/default/pods An empty page will be returned and you can see `403 (Forbidden)` in F12 dev tools Does it meet your requirement? --- Additional comment from Samuel Padgett on 2019-07-23 19:51:10 CST --- When you say empty page, do you mean totally blank or is there a message? The page should not be totally blank. --- Additional comment from Guohua Ouyang on 2019-07-23 20:19:47 CST --- I don't have an environment to verify this, could you capture a screenshot for it? --- Additional comment from Yadan Pei on 2019-07-24 09:40:20 CST --- --- Additional comment from Yadan Pei on 2019-07-24 09:42:00 CST --- --- Additional comment from Yadan Pei on 2019-07-24 09:45:39 CST --- I attached two screenshots NormalUserViewDefaultPods: When user has a project and view pods in default namespace NormalUserWithoutProjectsViewDefaultPods: A totally fresh new user view pods in default namespace I think we should return 403 Forbidden error page instead of a blank page --- Additional comment from Samuel Padgett on 2019-07-28 01:39:10 CST --- Yadan, can you open a second bug for the issue you're seeing? It's a different problem than the original bug and specific to 4.2. The original RBAC issue with create buttons has been fixed, so we should make sure that's tracked separately and appears in the errata. Based on my testing, there was a regression during 4.2 development where the pods page is not properly updating when switching projects and receiving the 403 response from the server. The Redux ID with the new project name is not properly getting passed down from Firehose to the Table component. Also, can you provide exact steps for how you tested this? How you got to the pods page could matter (typing in the URL or navigating to it through the UI). --- Additional comment from Guohua Ouyang on 2019-07-29 09:38:54 CST --- There is no screenshot about the 'edit' permission, I assume if a user has 'edit' permission, the button 'create pods' is available. I don't mind to move this bug to 'veified' since the UI objects aren't available to a user who don't have permission to use it. --- Additional comment from Yadan Pei on 2019-07-29 10:33:18 CST --- (In reply to Samuel Padgett from comment #13) > Yadan, can you open a second bug for the issue you're seeing? It's a > different problem than the original bug and specific to 4.2. The original > RBAC issue with create buttons has been fixed, so we should make sure that's > tracked separately and appears in the errata. ok, I will > > Based on my testing, there was a regression during 4.2 development where the > pods page is not properly updating when switching projects and receiving the > 403 response from the server. The Redux ID with the new project name is not > properly getting passed down from Firehose to the Table component. > > Also, can you provide exact steps for how you tested this? How you got to > the pods page could matter (typing in the URL or navigating to it through > the UI). Sure, I will Moving this bug to VERIFIED since the origin RBAC issue has been fixed: When a non-admin user views workloads page of other projects via URL such as /k8s/ns/default/pods, an empty page will be returned No Create buttons
Reopen this bug to kubevirt console. The "Create" button is still available to non-admin on vm wizard page, but not vm template page and other OCP pages. Console: OpenShift Version 4.2.0-0.nightly-2019-10-08-232417
since the user can hardly hit this issue, certainly not a zstream material. Targeting next release.
PR: https://github.com/openshift/console/pull/3353
It has different behaviors on VM and VM Templates page. - On VM page, the "Create with wizard" button is not showing anymore, just like the looks on Pods page. - On VM template page, it shows an error like below. templates.template.openshift.io is forbidden: User "test" cannot list resource "templates" in API group "template.openshift.io" in the namespace "default". Not sure which one is correct, I think we need to remove the error showing on the VM template page.
I'm getting the same behaviour for Pods, VM, and VM Templates page Screenshots - https://drive.google.com/file/d/1QxCx4vo5PZKsRkdjZsenmDQ1AaZFycx9/view?usp=sharing https://drive.google.com/file/d/1Uz-a5KFn39aKL5njX2DZ-38C4NNbxRKK/view?usp=sharing https://drive.google.com/file/d/1yAr-bkEFQl1dR-lM-yos7lPUpIFU4qrP/view?usp=sharing Can you provide more info @Guohua
The version I used is 4.3.0-0.nightly-2019-11-21-122827, do you think is it a good one?
Move the bug to be verified as normal user cannot use VM wizard any more regardless the different results on VM and VM Templates page.
must not be private?
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0062