Bug 1984954 - Normal user cannot create VM because it cannot access v2v-vmware configmap
Summary: Normal user cannot create VM because it cannot access v2v-vmware configmap
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Console Kubevirt Plugin
Version: 4.8
Hardware: Unspecified
OS: Linux
high
high
Target Milestone: ---
: 4.9.0
Assignee: Matan Schatzman
QA Contact: Guohua Ouyang
URL:
Whiteboard:
Depends On:
Blocks: 1998692
TreeView+ depends on / blocked
 
Reported: 2021-07-22 14:16 UTC by YaoJinbo
Modified: 2023-09-15 01:11 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1998692 (view as bug list)
Environment:
Last Closed: 2021-10-18 17:40:51 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
normal user cannot access v2v-vmware configmap (140.18 KB, image/png)
2021-07-23 02:08 UTC, Guohua Ouyang
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github openshift console pull 9704 0 None None None 2021-08-03 09:20:55 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:41:03 UTC

Comment 1 Yaacov Zamir 2021-07-22 14:24:29 UTC
Hi, I'm missing some information about the permissions of the user (mainly if they actually have permissions to see virtual machine at this namespace, if they don't "access denied" seems an ok error):
do you have view permissions to list virtual machine on all namespaces ?
what happen if you try to view pods on restricted namespaces ?
if you don't have access to all-namespaces, what happen if you try to view virtual machines on a namespace you do have view permissions on ?

Comment 2 Guohua Ouyang 2021-07-23 02:08:18 UTC
Created attachment 1804716 [details]
normal user cannot access v2v-vmware configmap

Hi Kobi,
The actual error is normal user cannot access the v2v-vmware configmaps in ns "kubevirt-hyperconverged".

Error on wizard:
configmaps "v2v-vmware" is forbidden: User "test" cannot get resource "configmaps" in API group "" in the namespace "kubevirt-hyperconverged"

It has two problems here now:
1. the namespace should be "openshift-cnv", not "kubevirt-hyperconverged".
2. normal user cannot access configmap in "openshift-cnv", it shows this error in command line as well. I think this is caused by fix of bug https://bugzilla.redhat.com/show_bug.cgi?id=1942839, as windows VM need to read data from the v2v-vmware configmao, it prevent normal user to use the wizard.
  
$ oc login -u test -p test

$oc get cm -n openshift-cnv                                                                               
Error from server (Forbidden): configmaps is forbidden: User "test" cannot list resource "configmaps" in API group "" in the namespace "openshift-cnv"

Workaround:
Grant normal user access to project 'openshift-cnv'.
$ oc adm policy add-role-to-user view test -n openshift-cnv

After it, normal user is able to use the wizard and create the vm.

Comment 3 Yaacov Zamir 2021-08-02 10:04:11 UTC
not a blocker, because it has a workaround, moving severity to high because this effect any non admin user

Comment 7 errata-xmlrpc 2021-10-18 17:40:51 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759

Comment 8 Red Hat Bugzilla 2023-09-15 01:11:55 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days


Note You need to log in before you can comment on or make changes to this bug.