Bug 1791101 - Normal user cannot see and use installed operators [openshift-4.3]
Summary: Normal user cannot see and use installed operators [openshift-4.3]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 4.3.0
Hardware: All
OS: All
unspecified
high
Target Milestone: ---
: 4.3.z
Assignee: Samuel Padgett
QA Contact: Yadan Pei
URL:
Whiteboard:
: 1790925 (view as bug list)
Depends On: 1790528
Blocks: 1790925
TreeView+ depends on / blocked
 
Reported: 2020-01-14 20:21 UTC by Samuel Padgett
Modified: 2020-02-19 05:40 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previously, normal users would be greeted with a "Restricted Access" error when trying to access the "Installed Operators" page in the web console. This happened because the console was trying to access the Subscription resource outside of the current namespace to show Subscription details. The bug has been fixed and normal users can now access the "Installed Operators" page. The Subscription tab will be hidden from users who can't access the Subscription resource. This is the same behavior as in OpenShift 4.2 console.
Clone Of: 1790528
Environment:
Last Closed: 2020-02-19 05:39:53 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift console pull 3963 None closed [release-4.3] Bug 1791101: Make subscriptions & catalog sources optional so normal users can see installed operators 2020-07-24 14:22:55 UTC
Red Hat Product Errata RHBA-2020:0492 None None None 2020-02-19 05:40:06 UTC

Description Samuel Padgett 2020-01-14 20:21:28 UTC
+++ This bug was initially created as a clone of Bug #1790528 +++

Description of problem:

OCP 4.3 changed the console UI Operators section permission. In previous OCP (OCP 4.1, 4.2) normal user is able to see installed operators and use them from console UI after login as a non cluster-admin user. In OCP 4.3 console UI, Installed Operators shows

Restricted Access
You don't have access to this section due to cluster policy.

Error details
subscriptions.operators.coreos.com is forbidden: User "qe1" cannot list resource "subscriptions" in API group "operators.coreos.com" at the cluster scope

A non cluster-admin user ("qe1" above) cannot access an installed operator UI section. So this blocks downstream service mesh product creation from console UI.


OCP version: https://mirror.openshift.com/pub/openshift-v4/clients/ocp-dev-preview/latest-4.3/openshift-install-linux-4.3.0-0.nightly-*.tar.gz
OSSM version: 1.0.3
Environment: OCP 4.3 on AWS

normal user is created by the follow step:
$ htpasswd -c -B -b users.htpasswd qe1 "${QE1_PWD:-qe1pw}"
$ oc -n openshift-config create secret generic htpass-secret --from-file=htpasswd=users.htpasswd
$ oc apply -f <(cat <<EOF
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:

    name: my_htpasswd_provider
    mappingMethod: claim
    type: HTPasswd
    htpasswd:
    fileData:
    name: htpass-secret
    EOF
    )





Version-Release number of selected component (if applicable):

OCP version: https://mirror.openshift.com/pub/openshift-v4/clients/ocp-dev-preview/latest-4.3/openshift-install-linux-4.3.0-0.nightly-*.tar.gz


How reproducible:
Always


Steps to Reproduce:
1. Create a normal user e.g. qe1 , without cluster-admin privilege (step above in the end of description)
2. Log in to OCP 4.3 cluster as a user with cluster-admin permission
3. Install an operator such as "Red Hat OpenShift Service Mesh" from OperatorHub
4. Logout

5. Log in to OCP 4.3 cluster console as a normal user
6. Navigate to left side "Operators --> Installed Operators" 


Actual results:
Restricted Access
You don't have access to this section due to cluster policy.

Expected results:
Normal user should be able to see installed operator(s)


Additional info:
This issue is initially discussed in https://issues.redhat.com/browse/MAISTRA-1041

--- Additional comment from Yuanlin Xu on 2020-01-13 16:36:39 UTC ---

We got help from Yadan Pei and figured out a solution of this issue. On the latest OCP 4.3 and normal user can see installed operators and create custom resources such as SMCP/SMMR by the following steps:

Login as normal user.
Click on Administrator -> click on Developer -> click +Add -> From Catalog -> Installed Operators

here you can see custom resources your operator had defined, user can create instance of SMCP/SMMR

So this is an OCP 4.3 UI change . We can close this issue now.

--- Additional comment from  on 2020-01-14 14:39:59 UTC ---

Lets reopen, you were correct to begin with.  This is a bug, but you happened to find a workaround.  We still expect the admin side of the console to be usable by non-admin devs, so long as RBAC allows visibility of the resource/page.

--- Additional comment from  on 2020-01-14 14:40:49 UTC ---

Setting to 4.4 & cloning back to 4.3.z.

Comment 1 Yuanlin Xu 2020-01-14 20:32:51 UTC
Steps to Reproduce:
1. Create a normal user e.g. qe1 , without cluster-admin privilege (step above in the end of description)
2. Log in to OCP 4.3 cluster as a user with cluster-admin permission
3. Install an operator such as "Red Hat OpenShift Service Mesh" from OperatorHub
4. Logout

(This step in description need to be updated) 5. Log in to OCP 4.3 cluster console as a normal user --> 5. Log in to OCP 4.3 cluster console as a normal user and create a project.
6. Navigate to left side "Operators --> Installed Operators"

Comment 2 bpeterse 2020-01-29 21:46:42 UTC
*** Bug 1790925 has been marked as a duplicate of this bug. ***

Comment 4 shahan 2020-02-06 04:34:09 UTC
 
1. normal user without any projects login to console, and visit Operators -> Installed Operators, it shows correct message indicating no operators found
2. normal user create a project, admin user subscribe one operator to this namespace, wait until operator is successfully installed
3. then normal user view custom resources on Operators -> Installed Operators page, we can see etcd Operator is listed on the page, normal user can create etcd Cluster, etcd Backup, etcd Restore successfully


Verified on 4.3.0-0.nightly-2020-02-05-220314

Comment 6 Yuanlin Xu 2020-02-18 15:43:00 UTC
I verified this issue has been fixed in OCP 4.3.2 build from Service Mesh side.

Comment 7 errata-xmlrpc 2020-02-19 05:39:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0492


Note You need to log in before you can comment on or make changes to this bug.