2005232 – Pods list page should only show Create Pod button to user has sufficient permission

Bug 2005232 - Pods list page should only show Create Pod button to user has sufficient permission

Summary: Pods list page should only show Create Pod button to user has sufficient perm...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Management Console
Sub Component:
Version:	4.10
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	low
Target Milestone:	---
Target Release:	4.13.0
Assignee:	Yadan Pei
QA Contact:	Yadan Pei
Docs Contact:	Olivia Payne
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-09-17 07:55 UTC by Yadan Pei
Modified:	2023-09-18 04:26 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	* Previously, user permissions were not checked when rendering the Create Pod button, and the button rendered for users without needed permissions. With this update, user permissions are checked when rendering the Create Pod button, and it renders for users for users with the needed permissions. (link:https://bugzilla.redhat.com/show_bug.cgi?id=2005232[BZ#2005232])
Clone Of:
Environment:
Last Closed:	2023-05-17 22:46:32 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
project viewer can see 'Create Pod' button (299.53 KB, image/png) 2021-09-17 07:55 UTC, Yadan Pei	no flags	Details
project viewer can NOT see 'Create Deployment' button (288.29 KB, image/png) 2021-09-17 08:00 UTC, Yadan Pei	no flags	Details
new user navigate to workloads -> pods page (361.68 KB, image/png) 2021-09-17 08:07 UTC, Yadan Pei	no flags	Details
new user navigate to workloads -> deploymentconfigs page (330.52 KB, image/png) 2021-09-17 08:08 UTC, Yadan Pei	no flags	Details
viewer not able to see Create Pod button (138.24 KB, image/png) 2022-12-19 03:31 UTC, Yadan Pei	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openshift console pull 11999	None	open	Bug 2005232: Pods list page should only show Create Pod button to user has sufficient permission	2022-11-09 01:01:02 UTC
Red Hat Issue Tracker	OCPBUGS-6946	None	None	None	2023-02-08 20:52:04 UTC
Red Hat Product Errata	RHSA-2023:1326	None	None	None	2023-05-17 22:46:44 UTC

Description Yadan Pei 2021-09-17 07:55:51 UTC

Created attachment 1823743 [details]
project viewer can see 'Create Pod' button

Description of problem:
project viewer is able to see a 'Create Pod' button on Pods list page while the creation will fail finally due to less permission, in this way console should not show a 'Create Pod' button for project viewer, other resources list page doesn’t have the issue

Version-Release number of selected component (if applicable):
4.10.0-0.nightly-2021-09-16-212009

How reproducible:
Always

Steps to Reproduce:
1. normal user has a project and workloads
# oc get all -n yapei1-project
NAME                          READY   STATUS    RESTARTS   AGE
pod/example-787f749bb-czkms   1/1     Running   0          79s
pod/example-787f749bb-m7wxt   1/1     Running   0          79s
pod/example-787f749bb-mw8jv   1/1     Running   0          79s

NAME                      READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/example   3/3     3            3           79s

NAME                                DESIRED   CURRENT   READY   AGE
replicaset.apps/example-787f749bb   3         3         3       79s

2. grant another user with view access to user project 'yapei1-project'
# oc adm policy add-role-to-user view uiauto1 -n yapei1-project
clusterrole.rbac.authorization.k8s.io/view added: "uiauto1"
3. login with user 'uiauto1' and check the permissions on Pods list page

Actual results:
3. project viewer 'uiauto1' can see pods list successfully, at the same time console also shows a 'Create Pod' button while the creation will finally fail if project viewer tries to create a pod

Expected results:
3. console should not show 'Create Pod' button for a project viewer

Additional info:
For comparison: we doesn't show resource creation button('Create xxx' button) on other workloads list page for a project viewer, such as Deployments, DeploymentConfigs list etc

Comment 1 Yadan Pei 2021-09-17 08:00:14 UTC

Created attachment 1823744 [details]
project viewer can NOT see 'Create Deployment' button

Comment 2 Yadan Pei 2021-09-17 08:06:23 UTC

Also when a fresh new user log into console and navigate to Workloads -> Pods page, we can see an error message 'pods is forbidden: User "yapei2" cannot list resource "pods" in API group "" at the cluster scope', this is quite different from the getting started experience with other workloads list page, not sure if they are the same issue

Comment 3 Yadan Pei 2021-09-17 08:07:45 UTC

Created attachment 1823745 [details]
new user navigate to workloads -> pods page

Comment 4 Yadan Pei 2021-09-17 08:08:14 UTC

Created attachment 1823746 [details]
new user navigate to workloads -> deploymentconfigs page

Comment 5 Jakub Hadvig 2021-09-20 13:41:37 UTC

@Yadan both issues should be fixed by the PR.

Comment 6 Yadan Pei 2021-11-30 02:13:17 UTC

Hi Jakub,

The issue still can be reproduced on 4.10.0-0.nightly-2021-11-29-191648

Comment 9 Cyril 2022-09-13 14:11:57 UTC

This issue -  “project viewer is able to see a 'Create Pod' button on Pods list page while the creation will fail finally due to less permission” is fixed. 
For the other issue -” error message 'pods is forbidden:..”  In the comment above, it seems it would require a change in a common component - VirtualizationTable , so I will open a tech debt story to address it.

Comment 10 Yadan Pei 2022-09-14 07:54:57 UTC

Hi @cajieh  could you please let me know where is the new fix PR?

Comment 11 Cyril 2022-09-19 15:18:01 UTC

@yapei Here is the PR - https://github.com/openshift/console/pull/11999

Comment 12 Cyril 2022-09-19 19:57:19 UTC

The same issue is in PDB listpage. I have opened a bug to address it - https://issues.redhat.com/browse/OCPBUGS-1479

Comment 13 Yadan Pei 2022-09-21 02:27:46 UTC

Hi @cajieh the fix PR #11999 is still open and it is targeted to 'master' branch, so I assume it would be fixed first on 4.12, so we may need set 'Target Release' to 4.12, the bug will be moved to ON_QA after PR is merged so that QE can verify

Comment 16 Yadan Pei 2022-12-19 03:31:16 UTC

Created attachment 1933540 [details]
viewer not able to see Create Pod button

1. normal user has a project yapei1-project
2. grant user 'ui1' view permission on yapei1-project
3. user 'ui1' login and navigate to Workloads -> Pods list page, he is not able to see 'Create Pod' button

the reported issue has been fixed, verified on 4.13.0-0.nightly-2022-12-18-143426

Comment 19 errata-xmlrpc 2023-05-17 22:46:32 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.13.0 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:1326

Comment 20 Red Hat Bugzilla 2023-09-18 04:26:06 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days

Note You need to log in before you can comment on or make changes to this bug.