2211841 – Regular users can't use NADs located in other namespaces in their VMs despite having permissions to access them

Bug 2211841 - Regular users can't use NADs located in other namespaces in their VMs despite having permissions to access them

Summary: Regular users can't use NADs located in other namespaces in their VMs despite...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Container Native Virtualization (CNV)
Classification:	Red Hat
Component:	User Experience
Sub Component:
Version:	4.13.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Tal Nisan
QA Contact:	Guohua Ouyang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-06-02 08:11 UTC by Oren Cohen
Modified:	2023-08-02 06:27 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-08-02 03:24:19 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
screenshot (46.72 KB, image/png) 2023-06-02 08:11 UTC, Oren Cohen	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	CNV-29391	0	None	None	None	2023-06-04 23:43:28 UTC

Description Oren Cohen 2023-06-02 08:11:46 UTC

Created attachment 1968497 [details]
screenshot

Description of problem:
If a regular user has RBAC to get/list/watch a network-atttachment-definition in a namespace the user is not an admin of, the "Add network interface" modal doesn't allow the user to use that NAD in the new NIC. A red message is shown: "No NetworkAttachmentDefinitions available. Contact your system administrator for additional support.".
We would expect that if such permission configured for a user, s/he should be able to use that NAD in their VMs reside in namespaces they're admins of.

Version-Release number of selected component (if applicable):
4.13.0, but probably happens in previous versions.

How reproducible:
100%

Steps to Reproduce:
1. create a NAD in some arbitrary namespace (e.g. default)
2. add clusterrole of get, list, watch to that NAD, and rolebinding in the user's namespace for this role and a regular user.
3. when logged-in as the user, try to create a VM in a namespace the user is an admin of, and then try to add an additional network interface using NAD/bridge.

Actual results:
The user is not allowed to select the NAD s/he has permissions to. The drop-down list is grayed-out.

Expected results:
The user should see the NAD on the "Network" drop-down list and be able to select and use it for their VM.

Additional info:

Comment 1 Guohua Ouyang 2023-06-04 23:39:53 UTC

Hi Oren, Did you try it via command line?
I think this is duplication of https://issues.redhat.com/browse/OCPBUGS-6959 and it seems the OCP team would not like to fix it.

Comment 2 Oren Cohen 2023-06-05 07:04:28 UTC

Yes, with the RBAC to the NAD in place, the regular user can get the NAD or list NADs in a namespace with oc (i verified it with `--as` CLI option).
The fact that cluster-readers don't have access to NADs is something else. In our case the user is not a cluster reader but given a specific permission to the NAD in a different namespace he's not an admin of.

Comment 3 Guohua Ouyang 2023-08-02 03:24:19 UTC

Close the bug as the OCP team would not like to fix it in https://issues.redhat.com/browse/OCPBUGS-6959

Comment 4 Oren Cohen 2023-08-02 06:27:38 UTC

This BZ has been fixed by Matan: https://issues.redhat.com/browse/CNV-29391
Probably there is some issue with the bug sync between bugzilla and jira.

Note You need to log in before you can comment on or make changes to this bug.