Bug 1784937 - dedicated-admin users see errors when RBAC denies access
Summary: dedicated-admin users see errors when RBAC denies access
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 4.2.z
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.4.0
Assignee: Samuel Padgett
QA Contact: Yadan Pei
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-12-18 18:39 UTC by cbritt
Modified: 2020-05-04 11:21 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-05-04 11:20:43 UTC
Target Upstream Version:


Attachments (Terms of Use)
Screenshot of access denied empty state plus error message (75.72 KB, image/png)
2019-12-18 18:39 UTC, cbritt
no flags Details
Screenshot of globalconfig error (161.40 KB, image/png)
2019-12-18 18:40 UTC, cbritt
no flags Details
NormalUserViewGlobalConfig (222.93 KB, image/png)
2020-02-04 09:22 UTC, Yadan Pei
no flags Details
role dedicated-admin-cluster (6.64 KB, text/plain)
2020-02-05 09:23 UTC, XiaochuanWang
no flags Details
role dedicated-admin-project (3.63 KB, text/plain)
2020-02-05 09:24 UTC, XiaochuanWang
no flags Details
role dedicated-admin-project-config (763 bytes, text/plain)
2020-02-05 09:25 UTC, XiaochuanWang
no flags Details
normal user has dedicated related role visit global configuration page and display normally (292.60 KB, image/png)
2020-02-05 09:29 UTC, XiaochuanWang
no flags Details


Links
System ID Priority Status Summary Last Updated
Github openshift console pull 3872 None closed Bug 1784937: Improve error handling on global config tab 2020-04-17 17:44:34 UTC
Red Hat Product Errata RHBA-2020:0581 None None None 2020-05-04 11:21:18 UTC

Description cbritt 2019-12-18 18:39:25 UTC
Created attachment 1646148 [details]
Screenshot of access denied empty state plus error message

Description of problem:
dedicated-admins see an error message when the UI cannot show items due to RBAC restrictions 

Version-Release number of selected component (if applicable):
4.2.9

How reproducible:
Always

Steps to Reproduce:
1. Log into an OSD cluster with dedicated-admin role
2. Navigate to /settings/cluster/globalconfig
3. 

Actual results:
See a huge error message

Expected results:
User should see no error message

Additional info:
IMO, being denied access is not an error; it's RBAC working properly. I think it's an open question whether we want to have another way to let users know there are items that they cannot see due to access controls. But it's not an error state. 

In addition to the error mentioned, users can also see the "Access restricted" empty state as well as an error message. The empty state is sufficent; there is no error. See attched screenshot.

Comment 1 cbritt 2019-12-18 18:40:18 UTC
Created attachment 1646149 [details]
Screenshot of globalconfig error

Comment 2 Stephen Cuppett 2019-12-18 20:37:05 UTC
Setting Target Release to active development branch (4.4). Clones will be created for fixes, if any, which need backported.

Comment 4 XiaochuanWang 2020-02-04 09:00:30 UTC
Global Config page is displaying correctly and clearly with the access message.
IMO this could be Verified.
Checked on 4.4.0-0.nightly-2020-02-02-225006

Comment 6 Yadan Pei 2020-02-04 09:22:40 UTC
Created attachment 1657513 [details]
NormalUserViewGlobalConfig

Hi, currently normal user without access permission viewing Global Configuration page will report Denied error, except the denied error, there are also Error details
clusterversions.config.openshift.io "version" is forbidden: User "yapei1" cannot get resource "clusterversions" in API group "config.openshift.io" at the cluster scope


Do you expect we should also remove the error details message?

Comment 7 Samuel Padgett 2020-02-04 17:49:15 UTC
(In reply to Yadan Pei from comment #6)
> Created attachment 1657513 [details]
> NormalUserViewGlobalConfig
> 
> Hi, currently normal user without access permission viewing Global
> Configuration page will report Denied error, except the denied error, there
> are also Error details
> clusterversions.config.openshift.io "version" is forbidden: User "yapei1"
> cannot get resource "clusterversions" in API group "config.openshift.io" at
> the cluster scope
> 
> 
> Do you expect we should also remove the error details message?

I think that error is reasonable. These pages are not meant for normal users, and Cluster Settings is removed from the nav if you can't get the cluster version resource. `dedicated-admin` is a different role that should be able to access this page.

Comment 8 Yadan Pei 2020-02-05 05:26:16 UTC
Change back to ON_QA since we used different scenarios

Comment 9 XiaochuanWang 2020-02-05 09:23:16 UTC
Created attachment 1657848 [details]
role dedicated-admin-cluster

Comment 10 XiaochuanWang 2020-02-05 09:24:02 UTC
Created attachment 1657849 [details]
role dedicated-admin-project

Comment 11 XiaochuanWang 2020-02-05 09:25:15 UTC
Created attachment 1657851 [details]
role dedicated-admin-project-config

Comment 12 XiaochuanWang 2020-02-05 09:29:12 UTC
Created attachment 1657854 [details]
normal user has dedicated related role visit global configuration page and display normally

Comment 13 XiaochuanWang 2020-02-05 09:34:10 UTC
After normal user been grant with 3 roles related to dedicated-admin, user visit global configuration (settings/cluster/globalconfig). It could display clearly (see screenshot)


Tested on 4.4.0-0.nightly-2020-02-04-171905
Could move it to Verified.

Thanks all!

Comment 14 cbritt 2020-02-12 15:45:55 UTC
What info is needed from me here? What's in XiaochuanWang's screenshot looks good to me.

Comment 16 errata-xmlrpc 2020-05-04 11:20:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581


Note You need to log in before you can comment on or make changes to this bug.