gaktive
commented
2 years ago Update from @MbolotSuse from https://github.com/rancher/rancher/issues/35453#issuecomment-1045177528 (pardon any formatting wackiness here):
When Steve checks for access permissions to create today, it looks for the "POST" ability contained in the "CollectionMethods" field of the schema. You can see that here: https://github.com/rancher/apiserver/blob/master/pkg/server/access.go#L17-L22 .
The UI, on the other hand, is currently checking if the user has "PUT" access to "ResourceMethods". This checks if the user has update access to a namespace, rather than create permissions to namespaces. Because the project in this issue is initially empty, the backend does not report that the user has "PUT" access to "ResourceMethods" (because there exists no namespaces that the user has access to modify). Once a namespace has been created, however, the user now has update/edit access to a namespace, which causes the button to appear on the UI.
The solution here is pretty simple.
https://github.com/rancher/dashboard/blob/db6bca553e54d7dac2b8cc593e79e176581dbfc5/pages/c/_cluster/_product/projectsnamespaces.vue#L51 should be changed from:
return (this.schema?.resourceMethods || []).includes('PUT');
to
return (this.schema?.collectionMethods || []).includes('POST');
I ran a quick test on my local using this as the override, and was able to get the button to show up as expected (doesn't show up when the user is read-only, does when the user is project member).
As far as my earlier comment goes, the backend logic doesn't support the structure that I was referring to there. That may be a topic that we revisit in the future, but for now I would recommend going wiht the above fix.
sowmyav27
nwmac
ghost
brudnak
nelsonroliveira
@gaktive I took a look into this on the UI side. Relevant code (that I think you were referring to) is here: https://github.com/rancher/dashboard/blob/db6bca553e54d7dac2b8cc593e79e176581dbfc5/pages/c/_cluster/_product/projectsnamespaces.vue#L50
I think I understand the original intention of the UI side of this code. That being said, I think there is a large flaw to this approach, namely that the button's presence is tied (in best case) to the user's ability to create namespaces generically. This leads to the button being present on every project that the user sees, or on no projects. I'm not sure that this is the desired behavior. It seems to me that it would be better to evaluate if the button should be present on a project-by-project basis. That being said, the way that you are determining permissions right now (through the schema) doesn't really seem to support this. I'm going to look more into the backend side and see if there's something that makes more sense there.
Originally posted by @MbolotSuse in https://github.com/rancher/rancher/issues/35453#issuecomment-1036667181