Bug 1881872 - The regular user should not see volume snapshot content from UI
Summary: The regular user should not see volume snapshot content from UI
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Console Storage Plugin
Version: 4.6
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.6.0
Assignee: Bipul Adhikari
QA Contact: Neha Berry
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-09-23 09:25 UTC by Qin Ping
Modified: 2020-10-27 16:44 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-27 16:44:06 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Verification screenshot (107.62 KB, image/png)
2020-09-25 12:53 UTC, Neha Berry
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github openshift console pull 6729 0 None closed Bug 1881872: Add SSAR checks for Volume Snapshot Content 2020-10-14 12:38:28 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:44:25 UTC

Description Qin Ping 2020-09-23 09:25:02 UTC
Description of Problem:
The regular user should not see volume snapshot content from UI

Version-Release number of selected component (if applicable):
4.6.0-0.nightly-2020-09-20-184226

How Reproducible:
Always

Steps to Reproduce:
1. Install an OCP4.6 cluster.
2. Log into the web console with regular user not kubeadmin
3. Check Storage/Volume Snapshots Content page

Actual Results:
The regular user doesn't have access right for volumesnapshotcontent, so the volume snapshot content page should be hidden for the regular user just like the Persistent Volume.


$ oc get volumesnapshotcontent
Error from server (Forbidden): volumesnapshotcontents.snapshot.storage.k8s.io is forbidden: User "testuser-0" cannot list resource "volumesnapshotcontents" in API group "snapshot.storage.k8s.io" at the cluster scope


Expected Results:
The regular user should not see volume snapshot content from web console.Volume Snapshot Contents menu should be hidden for the regular user

Comment 1 Jakub Hadvig 2020-09-23 10:20:10 UTC
Moving to the DevConsole team since they have been working on adding the Volume Snapshots Content navbar item in https://github.com/openshift/console/pull/5980

Comment 2 Jaivardhan Kumar 2020-09-23 10:55:23 UTC
This is not owned by DevConsole and should be moved to Storage team and not sure what's the right component for it.

Comment 3 Jaivardhan Kumar 2020-09-23 10:58:34 UTC
Moved to Console Storage team

Comment 6 Neha Berry 2020-09-25 11:50:33 UTC
Moving back to ON_QA as I misunderstood the fix. Confirmed with Qin Ping and Bipul, I should not even see the VSContent in UI for the User.

Will test it again with latest builds

Comment 7 Neha Berry 2020-09-25 12:53:27 UTC
Created attachment 1716602 [details]
Verification screenshot

Verified the fix in 2 clusters ( Qin Ping - 4.6.0-0.nightly-2020-09-25-085318) and 4.6.0-0.nightly-2020-09-25-070943 

OCS = ocs-operator.v4.6.0-569.ci

_________________________________

Attached screencast of the UI flow. The Persistent Volume and Volume Snapshot Content are no longer listed under Storage if we have logged IN with a normal User which doesn't have the admin access.

_____________________________

UI
=======

1. Installed an OCP4.6 cluster.
2. Created a user1 using the steps mentioned in [1] 

[1] https://docs.openshift.com/container-platform/4.5/authentication/identity_providers/configuring-htpasswd-identity-provider.html#configuring-htpasswd-identity-provider


3. Logged into the web console with regular user user1 and not kubeadmin

4. Created a new Project/PVC and snapshot

5. Checked Storage/Volume Snapshots Content page. These were not listed under Storage tab


CLI
============

$ oc whoami
user1

$ oc get volumesnapshotcontent
Error from server (Forbidden): volumesnapshotcontents.snapshot.storage.k8s.io is forbidden: User "user1" cannot list resource "volumesnapshotcontents" in API group "snapshot.storage.k8s.io" at the cluster scope

Comment 10 errata-xmlrpc 2020-10-27 16:44:06 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196


Note You need to log in before you can comment on or make changes to this bug.