Open zcl0621 opened 4 months ago
@zcl0621 thanks for raising this issue and helping to make Rancher better! We may follow up with requests for additional information as we investigate the issue.
@gaktive transferring this issue to the dashboard repo for triage. I suspect that this could be a dashboard issue and some triage will help us to identify the root cause.
@rak-phillip Thx for reply. If you need more detail, pls let me know.
I have a potential repro. What I'm finding is that while the user can view all the actions in the Dashboard, they are unauthorized to commit these actions by the backend.
@zcl0621 can you confirm that these match the behavior you are experiencing? (apologies for the long steps, I tried to be as thorough as possible for clarity)
The user is able to see all actions for prod-dep
The user is prevented from editing prod-dep, receiving the message from the server
deployments.apps "prod-dep" is forbidden: User "u-6ztt8" cannot update resource "deployments" in API group "apps" in the namespace "prod"
The user is able to make edits to dev-dep
@rak-phillip to confirm the user is blocked via api from doing anything they cannot do and cannot see anything they shouldn't..... however the UI offers actions that they cannot do? if so this is a general issue regarding per resource type permissions, i'll dig out the relevant backend issues
to confirm the user is blocked via api from doing anything they cannot do
This is correct.
and cannot see anything they shouldn't.....
Unconfirmed at this point, but the api should be behaving this way for any resources that a users is not authorized to view
however the UI offers actions that they cannot do?
This is correct, it appears that the most permissive "Project Membership" is applied to all projects in the list, displaying the same actions for each item on the page. The end result is that a user can see actions that don't apply to them. For example, a user can see the "Edit" action and can attempt to save changes when they should only be allowed to see "List".
@rak-phillip thx for reply. I'm taking a vacation. I'll feed back a screenshot recording video about this issue. It'll be clearly. Thx again.
Rancher Server Setup
Information about the Cluster
Kubernetes version: 1.28
Cluster Type (Local/Downstream):
Hosted: EKS
Infrastructure Provider: AWS
User Information
Describe the bug
We created two project in the cluster.
dev
prod
if we add a user just to the prod project, they will be the viewer as well. But when we add a user to prod and dev project, they can do as a member in prod project. Now if we delete the add from the dev project, they will back to the viewer.
Screenshots