Bug 1775752 - User with lack of permissions to create Operator subscription can see the Create button - No UI Feedback
Summary: User with lack of permissions to create Operator subscription can see the Cre...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.3.0
Assignee: Samuel Padgett
QA Contact: Yadan Pei
URL:
Whiteboard:
Depends On: 1775672
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-11-22 17:27 UTC by Samuel Padgett
Modified: 2020-01-23 11:14 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1775672
Environment:
Version: 4.3.0-0.ci-2019-11-21-103638 Cluster ID: 88de250b-5ad7-4383-80bb-18e18dbaf8c2 Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36
Last Closed: 2020-01-23 11:13:48 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift console pull 3553 0 'None' closed Bug 1775752: Show errors when creating an operator subscription 2020-04-27 09:25:46 UTC
Red Hat Product Errata RHBA-2020:0062 0 None None None 2020-01-23 11:14:20 UTC

Description Samuel Padgett 2019-11-22 17:27:15 UTC
+++ This bug was initially created as a clone of Bug #1775672 +++

Description of problem:
When using a non-kubeadmin user, there was a need to have the Pipelines Operator installed. Navigating to the OperatorHub and finding the Operator was not an issue. However, when attempting to subscribe, I hit a 403 Forbidden error but nothing was rendered in the UI.

Version-Release number of selected component (if applicable): 4.3.0-0.ci-2019-11-21-103638


How reproducible: 100%


Steps to Reproduce:
1. Log in as a user without permissions to create an Operator subscription but has view access (see additional info for the script I used to create the user)
2. Navigate to the OperatorHub
3. Search for OpenShift Pipelines Operator
4. Click on the card and hit the Install button
5. Once the "Create Operator Subscription" page loads click the Subscribe button

Actual results:
Nothing happens, error in the console (attached)


Expected results:
Not to be able to get this far into the Operator Hub or to at least see an error in the UI that informs me I don't need to try to click the button again.


Additional info:
Script used to create the user is found here: https://github.com/redhat-developer/devconsole-operator/blob/master/hack/install_devconsole/create_user.sh

--- Additional comment from Andrew Ballantyne on 2019-11-22 14:42:57 UTC ---



--- Additional comment from Samuel Padgett on 2019-11-22 17:25:09 UTC ---

Making this high severity since we're suppressing any error creating the subscription.

Comment 2 Yadan Pei 2019-11-27 03:08:16 UTC
1. Grant user cluster-reader role
$ oc adm policy add-cluster-role-to-user cluster-reader yapei1 
clusterrole.rbac.authorization.k8s.io/cluster-reader added: "yapei1"

2. Try to subscribe an operator via Operators -> Operator Hub -> Install -> Subscribe, error message will be shown on page
An error occurred
subscriptions.operators.coreos.com is forbidden: User "yapei1" cannot create resource "subscriptions" in API group "operators.coreos.com" in the namespace "openshift-operators"


Verified on 4.3.0-0.nightly-2019-11-26-171052

Comment 4 errata-xmlrpc 2020-01-23 11:13:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0062


Note You need to log in before you can comment on or make changes to this bug.