+++ This bug was initially created as a clone of Bug #1795398 +++ Description of problem: Currently the new monitoring dashboards page is bypassing the recently created endpoint. --- Additional comment from Jakub Hadvig on 2020-01-30 11:06:44 UTC --- Based on the discussion with Andy, I'm assigning the issue to him, since he already has a good idea of what needs to be done. --- Additional comment from on 2020-02-07 04:35:28 UTC --- Setting the target to 4.5 as this should not block release. Its a bug/tech debt. --- Additional comment from Samuel Padgett on 2020-02-07 16:04:38 UTC --- (In reply to bpeterse from comment #2) > Setting the target to 4.5 as this should not block release. Its a bug/tech > debt. This one is probably a blocker because it means some users can't get the config maps. Moving back to 4.4. We should also update to use the display names for the dashboards when we make this change.
Visit /api/console/monitoring-dashboard-config we can see grafana configmaps are returned as JSON list. View Monitoring -> Dashboards, and dashboards are named with /monitoring/dashboards/grafana-dashboard-xxxxx Is it enough to move this bug to verified?
To verify, I'd create a user that can list/get namespaces, but can't list config maps in openshift-config-managed. The dashboards should display without errors for that user. Previously, you'd see an error. Note that you might run into Bug 1805964, which is an unrelated problem with the Home -> Overview page. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: metrics-reader rules: - apiGroups: - '' resources: - namespaces verbs: - get - list - watch $ oc adm policy add-cluster-role-to-user metrics-reader test
Created attachment 1665846 [details] Console empty 1. Create metrics-reader cluster role and add user 'yapei' as metrics-reader $ cat cluster-role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: metrics-reader rules: - apiGroups: - '' resources: - namespaces verbs: - get - list - watch $ oc create -f cluster-role.yaml $ oc adm policy add-cluster-role-to-user metrics-reader yapei 2. user 'yapei' login, I still hit the bug 1805964, console is white screen and we can see errors in attachment
Sam, can you help check my comment 5?
I would just edit the URL in the browser to go to the `/monitoring/dashboards` page directly after logging in. Or you could give this user permission to get/list/watch ClusterOperators and ClusterServiceVersions in all namespaces.
1. Create metrics-reader cluster role and add user 'yapei' as metrics-reader $ cat cluster-role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: metrics-reader rules: - apiGroups: - '' resources: - namespaces verbs: - get - list - watch $ oc create -f cluster-role.yaml $ oc adm policy add-cluster-role-to-user metrics-reader yapei 2. user 'yapei' login as a normal user and visit /monitoring/dashboards/ directly, user 'yapei' can view dashboards correctly and no errors # oc get cm -n openshift-config-managed Error from server (Forbidden): configmaps is forbidden: User "yapei" cannot list resource "configmaps" in API group "" in the namespace "openshift-config-managed" Verified on 4.4.0-0.nightly-2020-02-28-000349
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0581