Description of problem: - The Object Bucket Claim is not Visible on the OCP console although the OBC is visible on CLI with the same user. Version-Release number of selected component (if applicable): Prior to OCP v4.8 How reproducible: - Create a user in the cluster - Add admin role to the user of a namespace. - Verify the access to resources from CLI and Console. Steps to Reproduce: 1. Create a user and a project 2. Add admin role to this user of the project 3. Verify the access of OBC from CLI and Console. Actual results: - The user is not able to see the OBC resource from the Console. Expected results: - The user should be able to see the OBC from Console if it can create/list OBC from CLI. Additional info: In the next comments.
@prpandey @skatiyar any reason there are cephcluster and storagecluster permissions in the example role? we can provide a role for accessing bucket-classes, but if other non-noobaa permissions are required then I don't think this role should be created by noobaa
Hi **Tested with the following builds :- OCP :- 4.10.0-0.nightly-2022-02-16-171622 ODF :- 4.10.0-156 ** Steps performed for validation of the fix :- (a) Created a user named "tom"and project "test". (b) Added admin role to this user of the project. (c) Validated the access of OBC from CLI and Console. ** OBSERVATIONS :- (a) The role "mcg-operator.v4.10.0-noobaa-odf-ui-dc8bf97cd" was automatically created by noobaa. (b) After passing the rolebinding.yaml as mentioned below , the OBC section was present under Storage in UI . [root@localhost mcg-3]# cat RoleBinding.yaml kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ui-roles-binding namespace: openshift-storage subjects: - kind: User apiGroup: rbac.authorization.k8s.io # Change this to the user who requires to access OBC page name: tom roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: mcg-operator.v4.10.0-noobaa-odf-ui-dc8bf97cd (c) User was able to create and list OBC in UI under cli as well . [root@localhost mcg-3]# oc get obc -n test NAME STORAGE-CLASS PHASE AGE my-test-bucket openshift-storage.noobaa.io Bound 3m31s Screenshots of the observations are mentioned here "https://docs.google.com/document/d/1pWRjjwGkcgq-8p_tDgwKCGPMIrM7CVp8nA2Xe0sbUSY/edit?usp=sharing". Moving this bug to verified state . Thanks Mugdha
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Red Hat OpenShift Data Foundation 4.10.0 enhancement, security & bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:1372
Hi @prpandey , @musoni , @skatiyar During Automating this BZ I come across below observation. I have created user using htpasswd method and login into new created user. here I observed that in storage dropdown I am able to see OBC option without giving admin access to user. Is this expected behavior?
Hi, I have tested it many times, once more time just now on: OCP: 4.11.0-0.nightly-2022-08-15-152346 ODF: 4.11 (latest) I can only see OBC option after creating a RoleBinding. Not sure why u r seeing it without that. But, assuming that it is present, this should not be an issue IMO.
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days