Description of problem: OCP 4.3 changed the console UI Operators section permission. In previous OCP (OCP 4.1, 4.2) normal user is able to see installed operators and use them from console UI after login as a non cluster-admin user. In OCP 4.3 console UI, Installed Operators shows Restricted Access You don't have access to this section due to cluster policy. Error details subscriptions.operators.coreos.com is forbidden: User "qe1" cannot list resource "subscriptions" in API group "operators.coreos.com" at the cluster scope A non cluster-admin user ("qe1" above) cannot access an installed operator UI section. So this blocks downstream service mesh product creation from console UI. OCP version: https://mirror.openshift.com/pub/openshift-v4/clients/ocp-dev-preview/latest-4.3/openshift-install-linux-4.3.0-0.nightly-*.tar.gz OSSM version: 1.0.3 Environment: OCP 4.3 on AWS normal user is created by the follow step: $ htpasswd -c -B -b users.htpasswd qe1 "${QE1_PWD:-qe1pw}" $ oc -n openshift-config create secret generic htpass-secret --from-file=htpasswd=users.htpasswd $ oc apply -f <(cat <<EOF apiVersion: config.openshift.io/v1 kind: OAuth metadata: name: cluster spec: identityProviders: name: my_htpasswd_provider mappingMethod: claim type: HTPasswd htpasswd: fileData: name: htpass-secret EOF ) Version-Release number of selected component (if applicable): OCP version: https://mirror.openshift.com/pub/openshift-v4/clients/ocp-dev-preview/latest-4.3/openshift-install-linux-4.3.0-0.nightly-*.tar.gz How reproducible: Always Steps to Reproduce: 1. Create a normal user e.g. qe1 , without cluster-admin privilege (step above in the end of description) 2. Log in to OCP 4.3 cluster as a user with cluster-admin permission 3. Install an operator such as "Red Hat OpenShift Service Mesh" from OperatorHub 4. Logout 5. Log in to OCP 4.3 cluster console as a normal user 6. Navigate to left side "Operators --> Installed Operators" Actual results: Restricted Access You don't have access to this section due to cluster policy. Expected results: Normal user should be able to see installed operator(s) Additional info: This issue is initially discussed in https://issues.redhat.com/browse/MAISTRA-1041
We got help from Yadan Pei and figured out a solution of this issue. On the latest OCP 4.3 and normal user can see installed operators and create custom resources such as SMCP/SMMR by the following steps: Login as normal user. Click on Administrator -> click on Developer -> click +Add -> From Catalog -> Installed Operators here you can see custom resources your operator had defined, user can create instance of SMCP/SMMR So this is an OCP 4.3 UI change . We can close this issue now.
Lets reopen, you were correct to begin with. This is a bug, but you happened to find a workaround. We still expect the admin side of the console to be usable by non-admin devs, so long as RBAC allows visibility of the resource/page.
Setting to 4.4 & cloning back to 4.3.z.
Steps to Reproduce: 1. Create a normal user e.g. qe1 , without cluster-admin privilege (step above in the end of description) 2. Log in to OCP 4.3 cluster as a user with cluster-admin permission 3. Install an operator such as "Red Hat OpenShift Service Mesh" from OperatorHub 4. Logout (This step in description need to be updated) 5. Log in to OCP 4.3 cluster console as a normal user --> 5. Log in to OCP 4.3 cluster console as a normal user and create a project. 6. Navigate to left side "Operators --> Installed Operators"
Latest accepted build 4.4.0-0.nightly-2020-01-15-181917 don't include this change yet, other builds are in waiting queue. Will check on newer build
Hi Ben, I didn't see a PR attached for this bug, can you please add? Then I can track if the fix is merged or not
Moving back to assigned to include https://github.com/openshift/console/pull/3984
The two PRs are https://github.com/openshift/console/pull/3940 and follow on fix https://github.com/openshift/console/pull/3984
normal user without projects login to console, and visit User Management -> Role Bindings page. It shows No Role Bindings Found and getting started guide. No Create RoleBinding button Verified on 4.4.0-0.nightly-2020-01-18-223038
Sorry giving wrong comments. please just ignore comment 11
1. 2. normal user without any projects login to console, and visit Operators -> Installed Operators, it shows correct message indicating no operators found 3. normal user create a project, admin user subscribe one operator to this namespace, wait until operator is successfully installed $ oc get csv -n ui1-1 NAME DISPLAY VERSION REPLACES PHASE etcdoperator.v0.9.4 etcd 0.9.4 Succeeded 4. then normal user view custom resources on Operators -> Installed Operators page, we can see etcd Operator is listed on the page, normal user can create etcd Cluster, etcd Backup, etcd Restore successfully Verified on 4.4.0-0.nightly-2020-01-18-223038
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0581
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days