Created attachment 1638766 [details]
No UI Error Visible
Description of problem:
When using a non-kubeadmin user, there was a need to have the Pipelines Operator installed. Navigating to the OperatorHub and finding the Operator was not an issue. However, when attempting to subscribe, I hit a 403 Forbidden error but nothing was rendered in the UI.
Version-Release number of selected component (if applicable): 4.3.0-0.ci-2019-11-21-103638
How reproducible: 100%
Steps to Reproduce:
1. Log in as a user without permissions to create an Operator subscription but has view access (see additional info for the script I used to create the user)
2. Navigate to the OperatorHub
3. Search for OpenShift Pipelines Operator
4. Click on the card and hit the Install button
5. Once the "Create Operator Subscription" page loads click the Subscribe button
Nothing happens, error in the console (attached)
Not to be able to get this far into the Operator Hub or to at least see an error in the UI that informs me I don't need to try to click the button again.
Script used to create the user is found here: https://github.com/redhat-developer/devconsole-operator/blob/master/hack/install_devconsole/create_user.sh
Created attachment 1638767 [details]
Making this high severity since we're suppressing any error creating the subscription.
To reproduce this problem, assign a user the cluster-reader role. They'll be able to see the OperatorHub UI, but creating subscriptions will silently fail.
> Expected results:
> Not to be able to get this far into the Operator Hub or to at least see an
> error in the UI that informs me I don't need to try to click the button
Unfortunately, there's no good check we can make before the user gets to this page. You pick the namespace inside this form, and you can have different permissions for different namespaces. We might be able to show a message for the selected namespace before submit, however.
Regardless we need to handle other creation errors.
That's understandable... the error does display a 403 Forbidden, so at least that would inform me that I don't have access to this action (subscribe to the operator).
Perhaps nothing has to happen prior to that as you may not know if the user has permissions to everything that is happening.
1. Assign testuser-0 as cluster-reader
$ oc adm policy add-cluster-role-to-user cluster-reader testuser-0
Warning: User 'testuser-0' not found
clusterrole.rbac.authorization.k8s.io/cluster-reader added: "testuser-0"
2. login console as testuser-0, Operators -> Operator Hub -> OpenShift Pipeline Operator -> Install -> click Subscribe button. An error message will show on page instead of fail silently
An error occurred
subscriptions.operators.coreos.com is forbidden: User "testuser-0" cannot create resource "subscriptions" in API group "operators.coreos.com" in the namespace "openshift-operators"
Verified on 4.4.0-0.nightly-2019-11-25-183933
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.