[BUG] Actions shown do not reflect user permissions

[zcl0621]

Rancher Server Setup

• Rancher version: 2.8.1
• Installation option (Docker install/Helm Chart): docker
• Proxy/Cert Details: ACME

Information about the Cluster

• Kubernetes version: 1.28

• Cluster Type (Local/Downstream):

• Hosted: EKS

• Infrastructure Provider: AWS

User Information

• Member

Describe the bug

We created two project in the cluster.

• dev

  • namespace: dev, staging
  • user role: member

• prod

  • namespace: prod
  • user role: viewer/readonly

if we add a user just to the prod project, they will be the viewer as well. But when we add a user to prod and dev project, they can do as a member in prod project. Now if we delete the add from the dev project, they will back to the viewer.

Screenshots

[rak-phillip]

@zcl0621 thanks for raising this issue and helping to make Rancher better! We may follow up with requests for additional information as we investigate the issue.

@gaktive transferring this issue to the dashboard repo for triage. I suspect that this could be a dashboard issue and some triage will help us to identify the root cause.

[zcl0621]

@rak-phillip Thx for reply. If you need more detail, pls let me know.

[rak-phillip]

I have a potential repro. What I'm finding is that while the user can view all the actions in the Dashboard, they are unauthorized to commit these actions by the backend.

@zcl0621 can you confirm that these match the behavior you are experiencing? (apologies for the long steps, I tried to be as thorough as possible for clarity)

1. Create a new Cluster
   1. Navigate to Cluster Manager and click Create
   2. Ensure RKE2/K3s is selected and select one of the options from the list
   3. Give the cluster a name and click Create
   4. Wait for the cluster to enter a ready state
2. Add Project/Namespaces to new Cluster
   1. Create the prod project
      1. Navigate to Cluster Management => { Cluster Created in Step 1 } and click Explore
      2. Navigate to Projects/Namespaces and click Create Project
      3. Name the Project "prod" and click Create
      4. Click on Create Namespace for prod
      5. Name the namespace "prod" and click Create
   2. Create the dev Project
      1. Navigate to Cluster Management => { Cluster Created in Step 1 } and click Explore
      2. Navigate to Projects/Namespaces and click Create Project
      3. Name the Project "dev" and click Create
      4. Click on Create Namespace for "dev"
      5. Name the namespace "dev" and click Create
3. Create a new user
   1. Navigate to Users & Authentication and click Create
   2. Give the user a name and generate a password
   3. Click Create
4. Create Deployments for { Cluster Created in Step 1 }
   1. Navigate to Cluster Management => { Cluster Created in Step 1 } and click Explore
   2. Navigate to Workloads => Deployments and click Create
   3. Select the prod namespace, name the deployment "prod-dep", and use "nginx:latest" as the Container Image
   4. Click Create
   5. Navigate to Workloads => Deployments and click Create
   6. Select the dev namespace, name the deployment "dev-dep", and use "nginx:latest" as the Container Image
   7. Click Create
5. Add { User created in Step 3 } to prod project
   1. Navigate to Cluster Management => { Cluster Created in Step 1 } and click Explore
   2. Navigate to Cluster => Cluster and Project Members => Project Membership
   3. Click on Add for the prod project
   4. Select { User Created in Step 3 }
   5. Select Read Only
   6. Click Create
6. Log in as the user and confirm that only prod-dep can be viewed and only View/List options are available in actions
7. Log back in as Admin and add { User created in Step 3 } to dev project
   1. Navigate to Cluster Management => { Cluster Created in Step 1 } and click Explore
   2. Navigate to Cluster => Cluster and Project Members => Project Membership
   3. Click on Add for the dev project
   4. Select { User Created in Step 3 }
   5. Select Member
   6. Click Create
8. Log in as the user and confirm that both prod-dep and dev-dep can be viewed
   1. Confirm that all actions are available for both dev-dep and prod-dep
   2. Click on "Edit config" for prod-dep
   3. Change Replicas to 3
   4. Click Save

Actual Behavior

• The user is able to see all actions for prod-dep

• The user is prevented from editing prod-dep, receiving the message from the server

  deployments.apps "prod-dep" is forbidden: User "u-6ztt8" cannot update resource "deployments" in API group "apps" in the namespace "prod"

• The user is able to make edits to dev-dep

Expected Behavior

• The user is able to see all actions for dev-dep
• The user is able to make edits to dev-dep
• The user is only able to see View/List actions for prod-dep

[richard-cox]

@rak-phillip to confirm the user is blocked via api from doing anything they cannot do and cannot see anything they shouldn't..... however the UI offers actions that they cannot do? if so this is a general issue regarding per resource type permissions, i'll dig out the relevant backend issues

[rak-phillip]

to confirm the user is blocked via api from doing anything they cannot do

This is correct.

and cannot see anything they shouldn't.....

Unconfirmed at this point, but the api should be behaving this way for any resources that a users is not authorized to view

however the UI offers actions that they cannot do?

This is correct, it appears that the most permissive "Project Membership" is applied to all projects in the list, displaying the same actions for each item on the page. The end result is that a user can see actions that don't apply to them. For example, a user can see the "Edit" action and can attempt to save changes when they should only be allowed to see "List".

[zcl0621]

@rak-phillip thx for reply. I'm taking a vacation. I'll feed back a screenshot recording video about this issue. It'll be clearly. Thx again.