Bug 1790528 - Normal user cannot see and use installed operators [openshift-4.4] [NEEDINFO]
Summary: Normal user cannot see and use installed operators [openshift-4.4]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 4.4
Hardware: All
OS: All
unspecified
high
Target Milestone: ---
: 4.4.0
Assignee: bpeterse
QA Contact: Yadan Pei
URL:
Whiteboard:
Depends On:
Blocks: 1790925 1791101
TreeView+ depends on / blocked
 
Reported: 2020-01-13 14:46 UTC by Yuanlin Xu
Modified: 2020-05-04 11:24 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1790925 1791101 (view as bug list)
Environment:
Last Closed: 2020-05-04 11:24:06 UTC
Target Upstream Version:
yapei: needinfo? (bpeterse)


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift console pull 3940 0 None closed Bug 1790528: Make subscriptions & catalog sources optional so normal users can see installed operators 2020-05-26 15:20:30 UTC
Github openshift console pull 3984 0 None closed Bug 1790528: Fix removal of OPERATOR_LIFECYCLE_MANAGER flag from olm package causi… 2020-05-26 15:20:31 UTC
Red Hat Product Errata RHBA-2020:0581 0 None None None 2020-05-04 11:24:32 UTC

Description Yuanlin Xu 2020-01-13 14:46:16 UTC
Description of problem:

OCP 4.3 changed the console UI Operators section permission. In previous OCP (OCP 4.1, 4.2) normal user is able to see installed operators and use them from console UI after login as a non cluster-admin user. In OCP 4.3 console UI, Installed Operators shows

Restricted Access
You don't have access to this section due to cluster policy.

Error details
subscriptions.operators.coreos.com is forbidden: User "qe1" cannot list resource "subscriptions" in API group "operators.coreos.com" at the cluster scope

A non cluster-admin user ("qe1" above) cannot access an installed operator UI section. So this blocks downstream service mesh product creation from console UI.


OCP version: https://mirror.openshift.com/pub/openshift-v4/clients/ocp-dev-preview/latest-4.3/openshift-install-linux-4.3.0-0.nightly-*.tar.gz
OSSM version: 1.0.3
Environment: OCP 4.3 on AWS

normal user is created by the follow step:
$ htpasswd -c -B -b users.htpasswd qe1 "${QE1_PWD:-qe1pw}"
$ oc -n openshift-config create secret generic htpass-secret --from-file=htpasswd=users.htpasswd
$ oc apply -f <(cat <<EOF
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:

    name: my_htpasswd_provider
    mappingMethod: claim
    type: HTPasswd
    htpasswd:
    fileData:
    name: htpass-secret
    EOF
    )





Version-Release number of selected component (if applicable):

OCP version: https://mirror.openshift.com/pub/openshift-v4/clients/ocp-dev-preview/latest-4.3/openshift-install-linux-4.3.0-0.nightly-*.tar.gz


How reproducible:
Always


Steps to Reproduce:
1. Create a normal user e.g. qe1 , without cluster-admin privilege (step above in the end of description)
2. Log in to OCP 4.3 cluster as a user with cluster-admin permission
3. Install an operator such as "Red Hat OpenShift Service Mesh" from OperatorHub
4. Logout

5. Log in to OCP 4.3 cluster console as a normal user
6. Navigate to left side "Operators --> Installed Operators" 


Actual results:
Restricted Access
You don't have access to this section due to cluster policy.

Expected results:
Normal user should be able to see installed operator(s)


Additional info:
This issue is initially discussed in https://issues.redhat.com/browse/MAISTRA-1041

Comment 1 Yuanlin Xu 2020-01-13 16:36:39 UTC
We got help from Yadan Pei and figured out a solution of this issue. On the latest OCP 4.3 and normal user can see installed operators and create custom resources such as SMCP/SMMR by the following steps:

Login as normal user.
Click on Administrator -> click on Developer -> click +Add -> From Catalog -> Installed Operators

here you can see custom resources your operator had defined, user can create instance of SMCP/SMMR

So this is an OCP 4.3 UI change . We can close this issue now.

Comment 2 bpeterse 2020-01-14 14:39:59 UTC
Lets reopen, you were correct to begin with.  This is a bug, but you happened to find a workaround.  We still expect the admin side of the console to be usable by non-admin devs, so long as RBAC allows visibility of the resource/page.

Comment 3 bpeterse 2020-01-14 14:40:49 UTC
Setting to 4.4 & cloning back to 4.3.z.

Comment 4 Yuanlin Xu 2020-01-14 20:31:14 UTC
Steps to Reproduce:
1. Create a normal user e.g. qe1 , without cluster-admin privilege (step above in the end of description)
2. Log in to OCP 4.3 cluster as a user with cluster-admin permission
3. Install an operator such as "Red Hat OpenShift Service Mesh" from OperatorHub
4. Logout

(This step in description need to be updated) 5. Log in to OCP 4.3 cluster console as a normal user --> 5. Log in to OCP 4.3 cluster console as a normal user and create a project.
6. Navigate to left side "Operators --> Installed Operators"

Comment 6 Yadan Pei 2020-01-16 01:22:19 UTC
Latest accepted build 4.4.0-0.nightly-2020-01-15-181917 don't include this change yet, other builds are in waiting queue. Will check on newer build

Comment 7 Yadan Pei 2020-01-16 02:14:08 UTC
Hi Ben,

I didn't see a PR attached for this bug, can you please add? Then I can track if the fix is merged or not

Comment 8 Samuel Padgett 2020-01-16 17:40:41 UTC
Moving back to assigned to include https://github.com/openshift/console/pull/3984

Comment 9 Samuel Padgett 2020-01-16 17:43:07 UTC
The two PRs are

https://github.com/openshift/console/pull/3940

and follow on fix

https://github.com/openshift/console/pull/3984

Comment 11 Yadan Pei 2020-01-19 05:34:42 UTC
normal user without projects login to console, and visit User Management -> Role Bindings page. It shows No Role Bindings Found and getting started guide. No Create RoleBinding button 


Verified on     4.4.0-0.nightly-2020-01-18-223038

Comment 12 Yadan Pei 2020-01-19 05:50:11 UTC
Sorry giving wrong comments. please just ignore comment 11

Comment 13 Yadan Pei 2020-01-19 05:58:23 UTC
1. 
2. normal user without any projects login to console, and visit Operators -> Installed Operators, it shows correct message indicating no operators found
3. normal user create a project, admin user subscribe one operator to this namespace, wait until operator is successfully installed
$ oc get csv -n ui1-1
NAME                                  DISPLAY                        VERSION   REPLACES   PHASE
etcdoperator.v0.9.4                   etcd                           0.9.4                Succeeded
4. then normal user view custom resources on Operators -> Installed Operators page, we can see etcd Operator is listed on the page, normal user can create etcd Cluster, etcd Backup, etcd Restore successfully


Verified on 4.4.0-0.nightly-2020-01-18-223038

Comment 15 errata-xmlrpc 2020-05-04 11:24:06 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581


Note You need to log in before you can comment on or make changes to this bug.