2056421 – non-privileged user cannot add disk as it cannot update resource "virtualmachines/addvolume"

Bug 2056421 - non-privileged user cannot add disk as it cannot update resource "virtualmachines/addvolume"

Summary: non-privileged user cannot add disk as it cannot update resource "virtualmach...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Container Native Virtualization (CNV)
Classification:	Red Hat
Component:	Storage
Sub Component:
Version:	4.10.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	urgent
Target Milestone:	---
Target Release:	4.10.1
Assignee:	Alexander Wels
QA Contact:	Natalie Gavrielov
Docs Contact:	Olivia Payne
URL:
Whiteboard:	release note
Depends On:
Blocks:	2072014
TreeView+	depends on / blocked

Reported:	2022-02-21 07:27 UTC by Guohua Ouyang
Modified:	2022-05-18 20:27 UTC (History)
CC List:	12 users (show)
Fixed In Version:	CNV v4.10.1-85
Doc Type:	Known Issue
Doc Text:	* Currently, non-privileged users cannot add disks to a virtual machine due to role-based access control (RBAC) rules. Non-privileged users will get an RBAC error when they try to add disks because it cannot update the `virtualmachines/addvolumeresource` in the `subresources.kubevirt.io` API group in the `test` namespace. As a workaround, manually add the RBAC rule to allow specific users to add disks. (link:https://bugzilla.redhat.com/show_bug.cgi?id=2056421[BZ#2056421])
Clone Of:
Clones:	2072014 (view as bug list)
Environment:
Last Closed:	2022-05-18 20:27:03 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
error on add disk modal (199.06 KB, image/png) 2022-02-21 07:27 UTC, Guohua Ouyang	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Github	kubevirt kubevirt pull 7500	None	Merged	Set RBAC for VM/addvolume and VM/removevolume	2022-04-14 15:52:06 UTC
Github	kubevirt kubevirt pull 7514	None	Merged	[release-0.49] Set RBAC for VM/addvolume and VM/removevolume	2022-04-18 14:05:10 UTC
Github	kubevirt kubevirt pull 7586	None	Merged	Fix typo in permissions, was missing (s) in virtualmachines	2022-04-22 07:23:15 UTC
Github	kubevirt kubevirt pull 7587	None	Merged	[release-0.49] Fix typo in permissions, was missing (s) in virtualmachines	2022-04-22 07:24:18 UTC
Red Hat Product Errata	RHSA-2022:4668	None	None	None	2022-05-18 20:27:23 UTC

Description Guohua Ouyang 2022-02-21 07:27:01 UTC

Created attachment 1862315 [details]
error on add disk modal

Description of problem:
Login with a non-privileged user, create a VM, and try to add a disk, an error shows:
user "test" cannot update resource "virtualmachines/addvolume" in API group "subresources.kubevirt.io" in the namespace "test"

Version-Release number of selected component (if applicable):
4.10-rc2

How reproducible:


Steps to Reproduce:
1. Login with a non-privileged user
2. Create a VM and adding disk to the vm
3.

Actual results:
error shows while adding disk

Expected results:
disk is added properly

Additional info:

Comment 1 Guohua Ouyang 2022-03-02 04:27:44 UTC

the problem does not exist on CNV-v4.10.0-696 + 4.10.0-rc.6

Comment 2 Guohua Ouyang 2022-03-03 06:43:31 UTC

(In reply to Guohua Ouyang from comment #1)
> the problem does not exist on CNV-v4.10.0-696 + 4.10.0-rc.6

please ignore this.

Comment 3 Yaacov Zamir 2022-03-09 08:55:50 UTC

Stu hi,

moving to virtualization because API endpoint is under virtualization, please move to correct component if needed

Description:
Users that are allowed to create and edit a vm in some namespace are blocked when trying to add a volume:
http://kubevirt.io/api-reference/main/operations.html#_v1vmi-addvolume

Is this "as designed" and we don't want them to use this API call ?
Is this RBAC rule need to be updates ?

What component set the RBUC ruls ?

Comment 4 sgott 2022-03-09 13:19:31 UTC

Adam, I'm moving this BZ to the Storage component. While the endpoint is in the KubeVirt codebase, we think the storage team might have better visibility into what needs to be done here. It's not clear from the workflow this BZ went through if the issue still exists.

Please feel free to move this back to virt if you think that's a better fit.

Comment 5 ctomasko 2022-03-15 22:03:48 UTC

Known issue release note added to OpenShift 4.10

A non-privileged user cannot add disks to a VM due to RBAC rules.

As a workaround, manually add the RBAC rule to allow specific users to add disks. (BZ#2056421)

https://github.com/openshift/openshift-docs/pull/42530
https://deploy-preview-42530--osdocs.netlify.app/openshift-enterprise/latest/virt/virt-4-10-release-notes#virt-4-10-known-issues

Future link: After the OpenShift Virtualization 4.10 releases, you can find the release notes here: https://docs.openshift.com/container-platform/4.10/virt/virt-4-10-release-notes.html
or on the portal,
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10

Comment 10 Yan Du 2022-04-25 07:16:02 UTC

Test on CNV v4.10.1-88, issue has been fixed.

$ oc whoami
test
$ virtctl addvolume fedora-1619697674-6212 --volume-name=blank-dv --persist
Successfully submitted add volume request to VM fedora-1619697674-6212 for volume blank-dv

Comment 16 errata-xmlrpc 2022-05-18 20:27:03 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Virtualization 4.10.1 Images security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:4668

Note You need to log in before you can comment on or make changes to this bug.