Description of problem: As a user, I am unable to view the links to the dashboards in the Home and Monitoring tabs in the web console menu. I am following the documentation [1] and using the cluster-monitoring-view cluster role. I've found that to view the dashboards, this role calls the sharing-config config map in the openshift-monitoring namespace. Thus, I believe the cluster-monitoring-view cluster role needs to be updated to access this, and the documentation [1] should be updated as well to reflect the requirement. Interestingly enough, while the links to the dashboards are not visible, the actual Grafana dashboard itself is accessible with the cluster-monitoring-view role. [1] https://docs.openshift.com/container-platform/4.2/monitoring/cluster-monitoring/prometheus-alertmanager-and-grafana.html Version-Release number of selected component (if applicable): OpenShift 4.2.7 How reproducible: All the time Steps to Reproduce: 1. oc adm policy add-cluster-role-to-user cluster-monitoring-view USER 2. Log into the web console as USER Actual results: Inspect the menu tabs on the left to see that the links to Home -> Dashboards and Monitoring -> Dashboards links are not visible Expected results: The links to the dashboards should be visible Additional info:
I was reviewing this with a colleague, he also proposed this workaround for the time being. Create the following: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: configmap-get rules: - apiGroups: - "" resources: - configmaps verbs: - get # oc adm policy add-cluster-role-to-user cluster-monitoring-view USER # oc policy add-role-to-user configmap-get -n openshift-monitoring USER Error when just adding cluster-monitoring-view to user, the a call to the sharing-config config map is needed. Request URL:https://console-openshift-console.apps.ocp4test.com/api/kubernetes/api/v1/namespaces/openshift-monitoring/configmaps/sharing-config Request method:GET Remote address:1.2.3.4:443 Status code: 403 Version:HTTP/1.1 Referrer Policy:strict-origin-when-cross-origin
This is a bug with 4.x as the sharing-config configmap was added in 4.x https://github.com/openshift/console/blob/release-4.2/frontend/public/actions/features.ts#L93-L129
We can read the config map in the console operator and wire through the URLs. We should probably do the same for the logging sharing-config config map.
*** Bug 1802923 has been marked as a duplicate of this bug. ***
We have a couple dependency bugs: - Logging operator should publish sharing-config configmap into openshift-config-managed namespace https://bugzilla.redhat.com/show_bug.cgi?id=1803196 - [POST] Monitoring operator should publish sharing-config configmap into openshift-config-managed namespace https://bugzilla.redhat.com/show_bug.cgi?id=1803192 Once resolved, we can proceed.
Console needs to be update to read the config values set by the operator.
1. grant normal user metrics reader role # cat metrics-reader-cluster-role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: metrics-reader rules: - apiGroups: - '' resources: - namespaces verbs: - get - list - watch # oc create -f metrics-reader-cluster-role.yaml clusterrole.rbac.authorization.k8s.io/metrics-reader created # oc adm policy add-cluster-role-to-user metrics-reader yapei1 clusterrole.rbac.authorization.k8s.io/metrics-reader added: "yapei1" 2. Normal user 'yapei1' login to the cluster and visit Monitoring, user can see Dashboards menu, also user can view dashboards successfully Verified on 4.5.0-0.nightly-2020-03-06-190457
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409