This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .
Bug 2081295 - openshift is not listed as avaliable project for user that can list templates from openshift project
Summary: openshift is not listed as avaliable project for user that can list templates...
Keywords:
Status: CLOSED MIGRATED
Alias: None
Product: Container Native Virtualization (CNV)
Classification: Red Hat
Component: User Experience
Version: 4.11.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Tal Nisan
QA Contact: Guohua Ouyang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-05-03 10:21 UTC by Yaacov Zamir
Modified: 2023-09-20 16:00 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-08-29 02:55:43 UTC
Target Upstream Version:
Embargoed:
aturgema: needinfo-


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker   CNV-17947 0 None None None 2023-08-29 02:55:42 UTC

Description Yaacov Zamir 2022-05-03 10:21:33 UTC
Description of problem:
openshift is not listed as avaliable project for user that can list templates from openshift project

a user can list projects on this cluster
when listing the project "openshift" is not listed

a user can list templates from "openshift" 

Why this is a problem:
the UI does not allow users to free write names of projects, they only allow to choose one of the projects they can see.

So a user that can list templates from "openshift" namespace will not be able to do it from the UI because they will not have "openshift" namespace available from the projects lists.


```
$ oc get projects
NAME                                 DISPLAY NAME   STATUS
openshift-virtualization-os-images                  Active
test-aviv                                           Active

$ oc get templates -A
Error from server (Forbidden): templates.template.openshift.io is forbidden: User "test" cannot list resource "templates" in API group "template.openshift.io" at the cluster scope

$ oc get templates -n openshift
NAME                                            DESCRIPTION                                                                        PARAMETERS        OBJECTS
3scale-gateway                                  3scale's API
```

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. login to a cluster a non privileged user
2. list all projects 
3. list templates from namespace "openshift"

Actual results:
A user that can list templates on "openshift" namespace
can't see project "openshift" when listing projects

Expected results:
A user that can list templates on "openshift" namespace
can see project "openshift" when listing projects


Additional info:

Comment 1 Yaacov Zamir 2022-05-03 10:27:16 UTC
Hi,
not listing "openshift" for non-priv users that can access resources on "openshift" (e.g. common templates) creates a UI bug

we can solve this for the UI by:
a - make openshift namespace discoverable for non admins (when they can list resources in it)
b - deploying common templates on another namespace, one the UI can discover.

cc:// @aturgema @tnisan

Comment 4 Yaacov Zamir 2022-05-04 17:43:27 UTC
Hi, thanks,

More information:

A. I'm using QE cluster, with a test user created using OAuth
```
apiVersion: config.openshift.io/v1
kind: OAuth
...
spec:
  identityProviders:
    - htpasswd:

```

B. test user can't list namespaces

$oc get namespaces
Error from server (Forbidden): namespaces is forbidden: User "test" cannot list resource "namespaces" in API group "" at the cluster scope

$ oc get projects
NAME                                 DISPLAY NAME   STATUS
openshift-virtualization-os-images                  Active
test-2                                              Active
test-aviv                                           Active

Comment 6 Guohua Ouyang 2022-05-05 00:41:27 UTC
Could see this issue in all QE clusters.
What's the consequence of this problem? For a regular user, after creates its own project, the user can see common templates and able to create VM.

Comment 7 Oren Cohen 2022-05-06 16:09:11 UTC
Why this is a bug?
Regular (non-admin) user can list the templates under the "openshift" namespace/project, thanks to "shared-resource-viewer" Role and RoleBinding targeting "system:authenticated" user group, which is created in OCP by default.
Regular users are not allowed by design to list *all* of the projects in the cluster, but just the projects they own (and openshift-virtualization-os-images which the permission for it was added by SSP).
Therefore, regular users don't need a "list" permissions for openshift project to list the templates under that project.

These are the default permissions for a regular user at the openshift project:
rules:
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ''
      - template.openshift.io
    resources:
      - templates
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ''
      - image.openshift.io
    resources:
      - imagestreamimages
      - imagestreams
      - imagestreamtags
      - imagetags
  - verbs:
      - get
    apiGroups:
      - ''
      - image.openshift.io
    resources:
      - imagestreams/layers
  - verbs:
      - get
    apiGroups:
      - ''
    resources:
      - configmaps

Comment 8 Yaacov Zamir 2022-05-08 10:33:57 UTC
(In reply to Oren Cohen from comment #7)
> Why this is a bug?

a. the UI does not allow to get objects from namespace/project that it can't list 
   when listing an object in the UI you need to choose the namespace from a dropdown list, and if the namespace you need is not listed, the UI will not let you list objects

b. in the case of templates, our algorithm for getting "all available templates" goes like that:
   1. get all available namespaces                   (using user RBAC)
   2. try to get templates from each namespace       (using user RBAC)
   3. show users all templates found in the cluster they can see.

   if "openshift" is not listed, we are missing all templates listed under that namespace


> What's the consequence of this problem? For a regular user, after creates its own project, the user can see common templates and able to create VM.

we are currently using a workaround where we manually adding "openshift" to the list of discovered namespaces, this is problematic for us because -
1. the UI should just relay on RBAC rules, keeping lists of special namespaces is something we would like to avoid.
2. the VM wizard works, but other parts of the UI that do not have this workaround will fail to list templates from "openshift"

Comment 9 Yaacov Zamir 2022-05-09 08:01:05 UTC
Hi, moving to Openshift config operator, I don't know what team is responsible to setting the "openshift" project RBAC rules, please move to correct component if needed.

TL;DR:
Can we list "openshift" when a non privileged user list all projects they can access,
e.g. can "oc get projects" list also "openshift" if user can access this namespace?


Summary of issue:

a non privileged user can list templates on "openshift" project
a non privileged user can not see "openshift" project when listing all projects

This is a problem for "kubevirt-console-plugin" because when searching for all templates we do:
a - get all projects
b - try to list templates from each project found in step a

if a user can access templates in a project, but can't list this project our method is broken.

we are currently adding "openshift" in hardcoded way.

Comment 11 Standa Laznicka 2023-01-17 09:13:30 UTC
A user is allowed to have any arbitrary privileges in namespaces they don't directly control - not a platform bug.

> This is a problem for "kubevirt-console-plugin" because when searching for all templates we do:
> a - get all projects
> b - try to list templates from each project found in step a

In that case you have a bug in your console plugin. See https://github.com/openshift/openshift-apiserver/blob/5eabbaacd9c401192947c053672d71516dd3db34/pkg/project/auth/cache.go#L203-L204 how to list user projects correctly.

Comment 12 Ugo Palatucci 2023-04-26 08:46:06 UTC
@slaznick  is there a way to get namespaces not listed in which there are resources?
For example, openshift is not in the list but the user has access to templates. 
Can this happen with other namespaces with other resources?
How can I get those templates without knowing a prior that they are in the openshift namespace? 
Without putting 'special cases' in the code

Comment 13 Standa Laznicka 2023-04-26 10:11:33 UTC
> Can this happen with other namespaces with other resources?

As I mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=2081295#c11 -> A user is allowed to have any arbitrary privileges in namespaces they don't directly control

> How can I get those templates without knowing a prior that they are in the openshift namespace?

You try to list them and see if they are present? That of course only works if you know the name of the NS. There're a few platform namespaces that you can rely on existing. The rest I suppose is about conventions inside the cluster/product you're working with.


Note You need to log in before you can comment on or make changes to this bug.