Bug 1775672 - User with lack of permissions to create Operator subscription can see the Create button - No UI Feedback
Summary: User with lack of permissions to create Operator subscription can see the Cre...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.4.0
Assignee: Samuel Padgett
QA Contact: Yadan Pei
URL:
Whiteboard:
Depends On:
Blocks: 1775752
TreeView+ depends on / blocked
 
Reported: 2019-11-22 14:42 UTC by Andrew Ballantyne
Modified: 2020-05-04 11:16 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previously, no error message was displayed when subscribing to an operator failed in the web console. A detailed error message is now displayed.
Clone Of:
: 1775752 (view as bug list)
Environment:
Version: 4.3.0-0.ci-2019-11-21-103638 Cluster ID: 88de250b-5ad7-4383-80bb-18e18dbaf8c2 Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36
Last Closed: 2020-05-04 11:16:20 UTC
Target Upstream Version:


Attachments (Terms of Use)
No UI Error Visible (123.25 KB, image/png)
2019-11-22 14:42 UTC, Andrew Ballantyne
no flags Details
Console Error (40.48 KB, image/png)
2019-11-22 14:42 UTC, Andrew Ballantyne
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github openshift console pull 3544 0 'None' closed Bug 1775672: Show errors when creating an operator subscription 2020-05-01 12:39:00 UTC
Red Hat Product Errata RHBA-2020:0581 0 None None None 2020-05-04 11:16:54 UTC

Description Andrew Ballantyne 2019-11-22 14:42:15 UTC
Created attachment 1638766 [details]
No UI Error Visible

Description of problem:
When using a non-kubeadmin user, there was a need to have the Pipelines Operator installed. Navigating to the OperatorHub and finding the Operator was not an issue. However, when attempting to subscribe, I hit a 403 Forbidden error but nothing was rendered in the UI.

Version-Release number of selected component (if applicable): 4.3.0-0.ci-2019-11-21-103638


How reproducible: 100%


Steps to Reproduce:
1. Log in as a user without permissions to create an Operator subscription but has view access (see additional info for the script I used to create the user)
2. Navigate to the OperatorHub
3. Search for OpenShift Pipelines Operator
4. Click on the card and hit the Install button
5. Once the "Create Operator Subscription" page loads click the Subscribe button

Actual results:
Nothing happens, error in the console (attached)


Expected results:
Not to be able to get this far into the Operator Hub or to at least see an error in the UI that informs me I don't need to try to click the button again.


Additional info:
Script used to create the user is found here: https://github.com/redhat-developer/devconsole-operator/blob/master/hack/install_devconsole/create_user.sh

Comment 1 Andrew Ballantyne 2019-11-22 14:42:57 UTC
Created attachment 1638767 [details]
Console Error

Comment 2 Samuel Padgett 2019-11-22 17:25:09 UTC
Making this high severity since we're suppressing any error creating the subscription.

Comment 3 Samuel Padgett 2019-11-22 17:37:31 UTC
To reproduce this problem, assign a user the cluster-reader role. They'll be able to see the OperatorHub UI, but creating subscriptions will silently fail.

Comment 4 Samuel Padgett 2019-11-22 20:46:18 UTC
> Expected results:
> Not to be able to get this far into the Operator Hub or to at least see an
> error in the UI that informs me I don't need to try to click the button
> again.

Unfortunately, there's no good check we can make before the user gets to this page. You pick the namespace inside this form, and you can have different permissions for different namespaces. We might be able to show a message for the selected namespace before submit, however.

Regardless we need to handle other creation errors.

Comment 5 Andrew Ballantyne 2019-11-22 20:49:53 UTC
That's understandable... the error does display a 403 Forbidden, so at least that would inform me that I don't have access to this action (subscribe to the operator).

Perhaps nothing has to happen prior to that as you may not know if the user has permissions to everything that is happening.

Comment 7 Yadan Pei 2019-11-26 06:45:49 UTC
1. Assign testuser-0 as cluster-reader
$ oc adm policy add-cluster-role-to-user cluster-reader testuser-0
Warning: User 'testuser-0' not found
clusterrole.rbac.authorization.k8s.io/cluster-reader added: "testuser-0"

2. login console as testuser-0, Operators -> Operator Hub -> OpenShift Pipeline Operator -> Install -> click Subscribe button. An error message will show on page instead of fail silently

An error occurred
subscriptions.operators.coreos.com is forbidden: User "testuser-0" cannot create resource "subscriptions" in API group "operators.coreos.com" in the namespace "openshift-operators"

Verified on 4.4.0-0.nightly-2019-11-25-183933

Comment 9 errata-xmlrpc 2020-05-04 11:16:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581


Note You need to log in before you can comment on or make changes to this bug.