Bug 1857843 - Cluster upgrade notifications have no RBAC checks
Summary: Cluster upgrade notifications have no RBAC checks
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 4.6
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.6.0
Assignee: Robb Hamilton
QA Contact: Yadan Pei
URL:
Whiteboard:
Depends On:
Blocks: 1877083
TreeView+ depends on / blocked
 
Reported: 2020-07-16 16:26 UTC by Samuel Padgett
Modified: 2020-10-27 16:15 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 1877083 (view as bug list)
Environment:
Version: 4.6.0-0.ci-2020-07-16-091855 Cluster ID: 818a2c63-5921-4991-96ea-0e983fb26e17 Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
Last Closed: 2020-10-27 16:15:14 UTC
Target Upstream Version:


Attachments (Terms of Use)
Verification screenshot (109.82 KB, image/png)
2020-07-28 06:21 UTC, XiaochuanWang
no flags Details
user without RBAC could not see the clusterversion by url which is hidden from menu (29.88 KB, image/png)
2020-09-09 01:40 UTC, XiaochuanWang
no flags Details
hidden menu (40.23 KB, image/png)
2020-09-09 01:41 UTC, XiaochuanWang
no flags Details
user has edit permission could see the Edit button (51.73 KB, image/png)
2020-09-09 01:49 UTC, XiaochuanWang
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github openshift console pull 6036 0 None closed Bug 1857843: add RBAC checks to cluster upgrade notifications 2020-10-07 21:11:01 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:15:45 UTC

Description Samuel Padgett 2020-07-16 16:26:03 UTC
Currently we show cluster upgrades to anyone who can get the ClusterVersion resource. We don't check if the user is able to actually able to edit the ClusterVersion to start an upgrade. We should avoid showing the notification to users who can't act on it.

For users who are unable to patch the ClusterVersion resource, we should

1. Hide the upgrade notification in the notification drawer, home -> status page, and about dialog
2. Remove the edit channel and start upgrade buttons from the cluster settings page

Comment 3 XiaochuanWang 2020-07-28 06:21:26 UTC
Created attachment 1702608 [details]
Verification screenshot

Comment 4 XiaochuanWang 2020-07-28 06:28:14 UTC
Checked by cluster-reader user, just as attached screenshot, RBAC works now.
Verified on 4.6.0-0.nightly-2020-07-25-091217

Comment 6 XiaochuanWang 2020-09-09 01:40:59 UTC
Created attachment 1714197 [details]
user without RBAC could not see the clusterversion by url which is hidden from menu

Comment 7 XiaochuanWang 2020-09-09 01:41:52 UTC
Created attachment 1714198 [details]
hidden menu

Comment 8 XiaochuanWang 2020-09-09 01:49:51 UTC
Created attachment 1714199 [details]
user has edit permission could see the Edit button

Comment 9 XiaochuanWang 2020-09-09 01:50:28 UTC
The user has only cluster-reader RBAC and visit Cluster Settings page and see the clusterversion, but could not see the Edit button. This was Verified as comment 4.

The user has no cluster-reader RBAC could not see the menus and will get Restricted Access error message if visit directly by url. Attached the screenshot for compare.

The user has RBAC of ClusterVersion edit permission could see the Edit button on Cluster Versions page. Also attached the screenshot for compare.

Comment 11 errata-xmlrpc 2020-10-27 16:15:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196


Note You need to log in before you can comment on or make changes to this bug.