+++ This bug was initially created as a clone of Bug #1790528 +++ Description of problem: OCP 4.3 changed the console UI Operators section permission. In previous OCP (OCP 4.1, 4.2) normal user is able to see installed operators and use them from console UI after login as a non cluster-admin user. In OCP 4.3 console UI, Installed Operators shows Restricted Access You don't have access to this section due to cluster policy. Error details subscriptions.operators.coreos.com is forbidden: User "qe1" cannot list resource "subscriptions" in API group "operators.coreos.com" at the cluster scope A non cluster-admin user ("qe1" above) cannot access an installed operator UI section. So this blocks downstream service mesh product creation from console UI. OCP version: https://mirror.openshift.com/pub/openshift-v4/clients/ocp-dev-preview/latest-4.3/openshift-install-linux-4.3.0-0.nightly-*.tar.gz OSSM version: 1.0.3 Environment: OCP 4.3 on AWS normal user is created by the follow step: $ htpasswd -c -B -b users.htpasswd qe1 "${QE1_PWD:-qe1pw}" $ oc -n openshift-config create secret generic htpass-secret --from-file=htpasswd=users.htpasswd $ oc apply -f <(cat <<EOF apiVersion: config.openshift.io/v1 kind: OAuth metadata: name: cluster spec: identityProviders: name: my_htpasswd_provider mappingMethod: claim type: HTPasswd htpasswd: fileData: name: htpass-secret EOF ) Version-Release number of selected component (if applicable): OCP version: https://mirror.openshift.com/pub/openshift-v4/clients/ocp-dev-preview/latest-4.3/openshift-install-linux-4.3.0-0.nightly-*.tar.gz How reproducible: Always Steps to Reproduce: 1. Create a normal user e.g. qe1 , without cluster-admin privilege (step above in the end of description) 2. Log in to OCP 4.3 cluster as a user with cluster-admin permission 3. Install an operator such as "Red Hat OpenShift Service Mesh" from OperatorHub 4. Logout 5. Log in to OCP 4.3 cluster console as a normal user 6. Navigate to left side "Operators --> Installed Operators" Actual results: Restricted Access You don't have access to this section due to cluster policy. Expected results: Normal user should be able to see installed operator(s) Additional info: This issue is initially discussed in https://issues.redhat.com/browse/MAISTRA-1041 --- Additional comment from Yuanlin Xu on 2020-01-13 16:36:39 UTC --- We got help from Yadan Pei and figured out a solution of this issue. On the latest OCP 4.3 and normal user can see installed operators and create custom resources such as SMCP/SMMR by the following steps: Login as normal user. Click on Administrator -> click on Developer -> click +Add -> From Catalog -> Installed Operators here you can see custom resources your operator had defined, user can create instance of SMCP/SMMR So this is an OCP 4.3 UI change . We can close this issue now. --- Additional comment from on 2020-01-14 14:39:59 UTC --- Lets reopen, you were correct to begin with. This is a bug, but you happened to find a workaround. We still expect the admin side of the console to be usable by non-admin devs, so long as RBAC allows visibility of the resource/page. --- Additional comment from on 2020-01-14 14:40:49 UTC --- Setting to 4.4 & cloning back to 4.3.z.
Steps to Reproduce: 1. Create a normal user e.g. qe1 , without cluster-admin privilege (step above in the end of description) 2. Log in to OCP 4.3 cluster as a user with cluster-admin permission 3. Install an operator such as "Red Hat OpenShift Service Mesh" from OperatorHub 4. Logout (This step in description need to be updated) 5. Log in to OCP 4.3 cluster console as a normal user --> 5. Log in to OCP 4.3 cluster console as a normal user and create a project. 6. Navigate to left side "Operators --> Installed Operators"
*** Bug 1790925 has been marked as a duplicate of this bug. ***
1. normal user without any projects login to console, and visit Operators -> Installed Operators, it shows correct message indicating no operators found 2. normal user create a project, admin user subscribe one operator to this namespace, wait until operator is successfully installed 3. then normal user view custom resources on Operators -> Installed Operators page, we can see etcd Operator is listed on the page, normal user can create etcd Cluster, etcd Backup, etcd Restore successfully Verified on 4.3.0-0.nightly-2020-02-05-220314
I verified this issue has been fixed in OCP 4.3.2 build from Service Mesh side.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0492