Bug 1790925

+++ This bug was initially created as a clone of Bug #1790528 +++

Description of problem:

OCP 4.3 changed the console UI Operators section permission. In previous OCP (OCP 4.1, 4.2) normal user is able to see installed operators and use them from console UI after login as a non cluster-admin user. In OCP 4.3 console UI, Installed Operators shows

Restricted Access
You don't have access to this section due to cluster policy.

Error details
subscriptions.operators.coreos.com is forbidden: User "qe1" cannot list resource "subscriptions" in API group "operators.coreos.com" at the cluster scope

A non cluster-admin user ("qe1" above) cannot access an installed operator UI section. So this blocks downstream service mesh product creation from console UI.


OCP version: https://mirror.openshift.com/pub/openshift-v4/clients/ocp-dev-preview/latest-4.3/openshift-install-linux-4.3.0-0.nightly-*.tar.gz
OSSM version: 1.0.3
Environment: OCP 4.3 on AWS

normal user is created by the follow step:
$ htpasswd -c -B -b users.htpasswd qe1 "${QE1_PWD:-qe1pw}"
$ oc -n openshift-config create secret generic htpass-secret --from-file=htpasswd=users.htpasswd
$ oc apply -f <(cat <<EOF
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:

    name: my_htpasswd_provider
    mappingMethod: claim
    type: HTPasswd
    htpasswd:
    fileData:
    name: htpass-secret
    EOF
    )





Version-Release number of selected component (if applicable):

OCP version: https://mirror.openshift.com/pub/openshift-v4/clients/ocp-dev-preview/latest-4.3/openshift-install-linux-4.3.0-0.nightly-*.tar.gz


How reproducible:
Always


Steps to Reproduce:
1. Create a normal user e.g. qe1 , without cluster-admin privilege (step above in the end of description)
2. Log in to OCP 4.3 cluster as a user with cluster-admin permission
3. Install an operator such as "Red Hat OpenShift Service Mesh" from OperatorHub
4. Logout

5. Log in to OCP 4.3 cluster console as a normal user
6. Navigate to left side "Operators --> Installed Operators" 


Actual results:
Restricted Access
You don't have access to this section due to cluster policy.

Expected results:
Normal user should be able to see installed operator(s)


Additional info:
This issue is initially discussed in https://issues.redhat.com/browse/MAISTRA-1041

--- Additional comment from Yuanlin Xu on 2020-01-13 16:36:39 UTC ---

We got help from Yadan Pei and figured out a solution of this issue. On the latest OCP 4.3 and normal user can see installed operators and create custom resources such as SMCP/SMMR by the following steps:

Login as normal user.
Click on Administrator -> click on Developer -> click +Add -> From Catalog -> Installed Operators

here you can see custom resources your operator had defined, user can create instance of SMCP/SMMR

So this is an OCP 4.3 UI change . We can close this issue now.

--- Additional comment from  on 2020-01-14 14:39:59 UTC ---

Lets reopen, you were correct to begin with.  This is a bug, but you happened to find a workaround.  We still expect the admin side of the console to be usable by non-admin devs, so long as RBAC allows visibility of the resource/page.

--- Additional comment from  on 2020-01-14 14:40:49 UTC ---

Setting to 4.4 & cloning back to 4.3.z.