Created attachment 1646148 [details] Screenshot of access denied empty state plus error message Description of problem: dedicated-admins see an error message when the UI cannot show items due to RBAC restrictions Version-Release number of selected component (if applicable): 4.2.9 How reproducible: Always Steps to Reproduce: 1. Log into an OSD cluster with dedicated-admin role 2. Navigate to /settings/cluster/globalconfig 3. Actual results: See a huge error message Expected results: User should see no error message Additional info: IMO, being denied access is not an error; it's RBAC working properly. I think it's an open question whether we want to have another way to let users know there are items that they cannot see due to access controls. But it's not an error state. In addition to the error mentioned, users can also see the "Access restricted" empty state as well as an error message. The empty state is sufficent; there is no error. See attched screenshot.
Created attachment 1646149 [details] Screenshot of globalconfig error
Setting Target Release to active development branch (4.4). Clones will be created for fixes, if any, which need backported.
Global Config page is displaying correctly and clearly with the access message. IMO this could be Verified. Checked on 4.4.0-0.nightly-2020-02-02-225006
Created attachment 1657513 [details] NormalUserViewGlobalConfig Hi, currently normal user without access permission viewing Global Configuration page will report Denied error, except the denied error, there are also Error details clusterversions.config.openshift.io "version" is forbidden: User "yapei1" cannot get resource "clusterversions" in API group "config.openshift.io" at the cluster scope Do you expect we should also remove the error details message?
(In reply to Yadan Pei from comment #6) > Created attachment 1657513 [details] > NormalUserViewGlobalConfig > > Hi, currently normal user without access permission viewing Global > Configuration page will report Denied error, except the denied error, there > are also Error details > clusterversions.config.openshift.io "version" is forbidden: User "yapei1" > cannot get resource "clusterversions" in API group "config.openshift.io" at > the cluster scope > > > Do you expect we should also remove the error details message? I think that error is reasonable. These pages are not meant for normal users, and Cluster Settings is removed from the nav if you can't get the cluster version resource. `dedicated-admin` is a different role that should be able to access this page.
Change back to ON_QA since we used different scenarios
Created attachment 1657848 [details] role dedicated-admin-cluster
Created attachment 1657849 [details] role dedicated-admin-project
Created attachment 1657851 [details] role dedicated-admin-project-config
Created attachment 1657854 [details] normal user has dedicated related role visit global configuration page and display normally
After normal user been grant with 3 roles related to dedicated-admin, user visit global configuration (settings/cluster/globalconfig). It could display clearly (see screenshot) Tested on 4.4.0-0.nightly-2020-02-04-171905 Could move it to Verified. Thanks all!
What info is needed from me here? What's in XiaochuanWang's screenshot looks good to me.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0581