Created attachment 1813328 [details] 'value' of undefined Description of problem: Regular user cannot create VM because of an unclear error "Cannot read property 'value' of undefined". But it works in customize wizard. Version-Release number of selected component (if applicable): master How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
The problem is that normal user cannot read storageProfile settings. Move this to high as it blocks VM creation and needs backport to 4.9.z.
normal user could not load storageProfile settings in PVC upload form too.
The current fix is disabling the optimized storageProfile settings so the page could load properly, but it means normal user could not benefit from the optimized storageProfile settings. I think we need to work out a better solution for normal user(project admin) to read the optimized storageProfile value. @Kobi, what do you think?
> but it means normal user could not benefit from the optimized storageProfile settings. Yes, I agree. Moving to storage team, Hi, in the UI we want to let user know what the storage profile is suggesting for specific storage class Can we make storage profile readable to project admins ? adding something like apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: storage-profile-reader labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" rules: - apiGroups: ["cdi.kubevirt.io/v1beta1"] resources: ["StorageProfile"] verbs: ["watch", "list", "get"]
Lowering severity because 4.9.z has a workaround. Bartosz, what do you think about this RBAC?
Yes, we should update our ClusterRoles. I'll take a look and propose a PR to CDI.
@yzamir which accounts or roles are used by UI to access this information?
A PR to add RBAC rules has been posted. I assume we can change the workaround done here: https://github.com/openshift/console/pull/10408 when the new Rules are available.
> @yzamir which accounts or roles are used by UI to access this information? The role is project admin, e.g. the user that admins one project
This bug is quite severe: a non-priv user cannot really enjoy our StorageProfiles feature without extra help, and they may not even know that they are missing something. Raising to High even though well-informed cluster admins can grant them.
CDI change merged, ready for testing
It was merged for main, but to target the 4.9.2, it needs to be backported - which is still in progress.
the backport was merged https://github.com/kubevirt/containerized-data-importer/pull/2041 It should be now available on new 4.9.2 builds
Verified on CNV-v4.9.2-11 + OCP-4.9.11, regular user can create VM successfully.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Virtualization 4.9.2 Images security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0191