Bug 1784352 - User can list pods, but not allowed to list the deployment pods or replica set pods
Summary: User can list pods, but not allowed to list the deployment pods or replica se...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 4.4
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ---
: 4.4.0
Assignee: Robb Hamilton
QA Contact: Yadan Pei
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-12-17 10:12 UTC by Udi
Modified: 2020-05-04 11:20 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-05-04 11:20:24 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift console pull 3962 None closed Bug 1784352: Fix bug where regular users cannot view Pods tab pods 2020-04-17 19:47:16 UTC
Red Hat Product Errata RHBA-2020:0581 None None None 2020-05-04 11:20:58 UTC

Description Udi 2019-12-17 10:12:39 UTC
Description of problem:
I installed a fresh cluster and created a user in the htpasswd file. The user can log in, can create new projects and deploy an app. However, when browsing over to the deployment or the replica set, and switching to the "pods" tab, you get the error: "Restricted Access". There is no problem to list pods in the Pods page with this user, so there should also be no problem listing the deployment's pods.


Version-Release number of selected component (if applicable):
4.4.0-0.ci-2019-12-14-210519


How reproducible:
100%


Steps to Reproduce:
1. Create a user and log in with it
2. Create a new project
3. Create a new application (I created hello-openshift)
4. Browse to the deployment page, select the deployment, and switch to the "Pods" tab


Actual results:
Restricted Access
pods is forbidden: User "alice" cannot list resource "pods" in API group "" at the cluster scope

Expected results:
Deployment pods should be listed


Additional info:
The cluster is a libvirt cluster simulating bare metals, installed with the dev-scripts.

Comment 1 Stephen Cuppett 2019-12-17 11:38:13 UTC
There is likely a missing role/permission rule for the created users of this auth mechanism here (and doc step to identify the need). Assigning to auth to take a look to fill in the gap.

Comment 2 Standa Laznicka 2020-01-02 09:22:57 UTC
Moving to console, `pods is forbidden: User "alice" cannot list resource "pods" in API group "" at the cluster scope` means cluster-level pods search was performed although the user expected a namespaced search. Idk whether it's intended or not.

Comment 4 shahan 2020-01-16 11:17:51 UTC
now we could see pod list under pod tab with normal user
4.4.0-0.ci-2020-01-16-103544

Comment 6 errata-xmlrpc 2020-05-04 11:20:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581


Note You need to log in before you can comment on or make changes to this bug.