Bug 2005232
| Summary: | Pods list page should only show Create Pod button to user has sufficient permission | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Yadan Pei <yapei> |
| Component: | Management Console | Assignee: | Yadan Pei <yapei> |
| Status: | CLOSED ERRATA | QA Contact: | Yadan Pei <yapei> |
| Severity: | low | Docs Contact: | Olivia Payne <opayne> |
| Priority: | unspecified | ||
| Version: | 4.10 | CC: | aos-bugs, cajieh, jhadvig, oarribas, opayne, spadgett, yapei |
| Target Milestone: | --- | Keywords: | Regression |
| Target Release: | 4.13.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
* Previously, user permissions were not checked when rendering the *Create Pod* button, and the button rendered for users without needed permissions. With this update, user permissions are checked when rendering the *Create Pod* button, and it renders for users for users with the needed permissions. (link:https://bugzilla.redhat.com/show_bug.cgi?id=2005232[*BZ#2005232*])
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-17 22:46:32 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Attachments: | |||
Created attachment 1823744 [details]
project viewer can NOT see 'Create Deployment' button
Also when a fresh new user log into console and navigate to Workloads -> Pods page, we can see an error message 'pods is forbidden: User "yapei2" cannot list resource "pods" in API group "" at the cluster scope', this is quite different from the getting started experience with other workloads list page, not sure if they are the same issue Created attachment 1823745 [details]
new user navigate to workloads -> pods page
Created attachment 1823746 [details]
new user navigate to workloads -> deploymentconfigs page
@Yadan both issues should be fixed by the PR. Hi Jakub, The issue still can be reproduced on 4.10.0-0.nightly-2021-11-29-191648 This issue - “project viewer is able to see a 'Create Pod' button on Pods list page while the creation will fail finally due to less permission” is fixed. For the other issue -” error message 'pods is forbidden:..” In the comment above, it seems it would require a change in a common component - VirtualizationTable , so I will open a tech debt story to address it. Hi @cajieh could you please let me know where is the new fix PR? @yapei Here is the PR - https://github.com/openshift/console/pull/11999 The same issue is in PDB listpage. I have opened a bug to address it - https://issues.redhat.com/browse/OCPBUGS-1479 Hi @cajieh the fix PR #11999 is still open and it is targeted to 'master' branch, so I assume it would be fixed first on 4.12, so we may need set 'Target Release' to 4.12, the bug will be moved to ON_QA after PR is merged so that QE can verify Created attachment 1933540 [details]
viewer not able to see Create Pod button
1. normal user has a project yapei1-project
2. grant user 'ui1' view permission on yapei1-project
3. user 'ui1' login and navigate to Workloads -> Pods list page, he is not able to see 'Create Pod' button
the reported issue has been fixed, verified on 4.13.0-0.nightly-2022-12-18-143426
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.13.0 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:1326 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |
Created attachment 1823743 [details] project viewer can see 'Create Pod' button Description of problem: project viewer is able to see a 'Create Pod' button on Pods list page while the creation will fail finally due to less permission, in this way console should not show a 'Create Pod' button for project viewer, other resources list page doesn’t have the issue Version-Release number of selected component (if applicable): 4.10.0-0.nightly-2021-09-16-212009 How reproducible: Always Steps to Reproduce: 1. normal user has a project and workloads # oc get all -n yapei1-project NAME READY STATUS RESTARTS AGE pod/example-787f749bb-czkms 1/1 Running 0 79s pod/example-787f749bb-m7wxt 1/1 Running 0 79s pod/example-787f749bb-mw8jv 1/1 Running 0 79s NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/example 3/3 3 3 79s NAME DESIRED CURRENT READY AGE replicaset.apps/example-787f749bb 3 3 3 79s 2. grant another user with view access to user project 'yapei1-project' # oc adm policy add-role-to-user view uiauto1 -n yapei1-project clusterrole.rbac.authorization.k8s.io/view added: "uiauto1" 3. login with user 'uiauto1' and check the permissions on Pods list page Actual results: 3. project viewer 'uiauto1' can see pods list successfully, at the same time console also shows a 'Create Pod' button while the creation will finally fail if project viewer tries to create a pod Expected results: 3. console should not show 'Create Pod' button for a project viewer Additional info: For comparison: we doesn't show resource creation button('Create xxx' button) on other workloads list page for a project viewer, such as Deployments, DeploymentConfigs list etc