Add Get and List permissions for nodetemplates and other resources to help backend

[gaktive]

Overall, it seems reasonable for the cluster owner to be able to edit the cluster configuration even if they are only a member of user-base global group.

As it (the UI) is today in order to properly render the Edit config UI we need the user-base role to have at least get and list permissions for nodetemplates and potentially other resources (nodedrivers, etc).

We don't want to add additional permissions to the user-base global role as it meant to have minimal possible privileges.

Instead, we would like to change the UI to render and allow to edit as much as possible of the cluster configuration with the given permissions.

Originally posted by @pmatseykanets in https://github.com/rancher/rancher/issues/40581#issuecomment-1724412413

[gaktive]

Internal reference: SURE-5419

[gaktive]

As noted in the original ticket, some coordination is required with @pmatseykanets & @tomleb since we need to understand a bit more of what's going with these verbs across various models.

This is currently mostly in Ember but some migration is underway for AKS to Vue so @mantis-toboggan-md & @eva-vashkevich should be part of the conversation.

[richard-cox]

I'm not 100% sure it's practical for a cluster owner to not see nodetemplates, they're kind of core to managing nodes in rke1.

We also need to consider other places these resources are used, like in the cluster details page, home page, etc

@pmatseykanets could you provide more information on the new expectations of the cluster owner role?

[pmatseykanets]

@richard-cox We don't want to add any additional permissions to the base role, as it meant to have the minimal possible privileges. We would like to change the UI to render and allow to edit as much as possible of the cluster configuration with the given permissions.

[richard-cox]

@pmatseykanets Thanks. We're confirming in https://github.com/rancher/rancher/issues/40581 if this is a possible request (cluster owners will not be able to manage node or node pools)

[MKlimuszka]

I closed the backend ticket (https://github.com/rancher/rancher/issues/40581) in favor of this one.

[richard-cox]

I've tried to bring everything together here

Problem Space

• Customer would like a user that has the global user-base role and a cluster cluster-owner role for an RKE1 cluster
• They would like the user to be able to manage the RKE1 cluster.
• It's been stated that the user cannot edit the cluster in the UI because certain resources are not available
  • nodetemplates. potentially nodedrivers, etc
• In JIRA, Nancy has stated "node drivers, kontainer drivers, role templates, principals, psp templates, and psac templates are all required to view and edit the form".
• Peter has confirmed adding these permissions renders the form correctly
• They do not want to add additional permissions to any role or user in order to manage the cluster

Investigation

I've created a user, as per above, and see the following for collection permissions and resource count when fetched

The user is an owner of an RKE1 cluster

Url	Test User	Admin
/v3/schemas/nodetemplate	POST, GET (0 resource)	POST, GET (2 resource)
/v1/schemas/management.cattle.io.nodetemplate	404 (404)	GET, blocked-POST (2 resource)
/v3/schemas/nodedriver	POST, GET (0 resource)	POST, GET (21 resource)
/v1/schemas/management.cattle.io.nodedriver	404 (404)	GET, blocked-POST (21 resource)s
/v3/schemas/nodes	POST, GET (3 resource)	POST, GET (4 resource)
/v1/management.cattle.io.node	GET, blocked-POST (3 resource)	GET, blocked-POST (4 resource)
/v3/schemas/nodepool	POST, GET (1 resource)	POST, GET (1 resource)
/v1/schemas/management.cattle.io.nodepool	GET, blocked-POST (0 resource)	GET, blocked-POST (1 resource)
/v3/schemas/principal	GET (0 resource)	GET (0 resource)
/v3/cloudcredentials	n/a (0 resource)	n/a (1 resource)
/v3/schemas/roleTemplates	404 (0 resources)	404 (42 resources)
/v3/kontainerdrivers	n/a (0 resource)	n/a (11 resource)
/v1/schemas/management.cattle.io.kontainerdrivers	404 (404)	GET, blocked-POST (11 resource)
In addition
/v3/principals/local%3A%2F%2Fuser-xglvs	200 - null response	200 - populated response
/v3/principals/local%3A%2F%2Fu-q7z6d	200 - null response	200 - populated response (this is the principal of the test user - they cannot fech themselves)

I then added the user to a global role that had get, list on nodedrivers. This revealed the whole edit cluster config. Some parts were broken, like node template name and the membership section

There is a LOT going on here

• Users cannot fetch v1 versions of v3 resources nodetemplate, kontainerdrivers. In addition user cannot see roleTemplates
• Fetching /v3 node drivers returns an empty list, adding permissions to v1/mgmt nodedriver resource results in a /v3 non-empty list
• User cannot fetch the principal of themselves (they can fetch themselves)

Actions

• Question - BE - What should the user be able to change when editing a cluster when they have no access to nodedriver or user based resources
• Question - BE - Should resources like node driver be available (schema is available, requests return an empty result set) when the user does not have permissions for them?
• Problem - As it stand we would remove just about everything other than editing labels/annotations. Is this acceptible?
• Task - We also need to disable the create cluster process, given the user should not be able to (are the permissions wired in?)

[gaktive]

@pmatseykanets & @MKlimuszka if we're tracking everything here, can someone answer @richard-cox's latest questions? My fear is that momentum will get lost without any assignees on this from backend.

[pmatseykanets]

@richard-cox

What should the user be able to change when editing a cluster when they have no access to nodedriver or user based resources

Should resources like node driver be available (schema is available, requests return an empty result set) when the user does not have permissions for them?

Such users should be able to see/access v3 management cluster object but not independent objects like node templates that may affect other clusters.

[richard-cox]

@pmatseykanets Sorry, maybe there was a phrasing issue

What ~should the user be able to~ can the user change when editing a cluster when they have no access to ~nodedriver or user based resources~ resources given the permissions above.

Will the PUT request we make to /v3/clusters succeed, is there anything that will fail given potentially missing information in the API request? I've had a quick look but i'm not an expert there. Visually we have sections for

• Node Management (which will be removed)
• Member Roles (which will be removed)
• Labels & Annotations
• Kubernetes Options
• Private Registry
• Advanced Options (nginx, node port range, PSA, docker, etc)
• Cluster Agent Configuration
• Fleet Agent Configuration

Just looking for some confirmation, otherwise it's trial and error.

Should resources like node driver be available (schema is available, requests return an empty result set) when the user does not have permissions for them?

In order to hide the section above we would need to know the permissions, via Norman, of resources the user cannot access. It looks like though norman returns a schema for them and empty lists when requested, rather than missing schema's indicating the user does not have the permission to see them. Was this done intentionally? Is there a way to work out if the user cannot see node templates, principals, etc

[pmatseykanets]

Will the PUT request we make to /v3/clusters succeed, is there anything that will fail given potentially missing information in the API request?

The request to update the cluster object should succeed for the cluster owner.

[richard-cox]

Three options

1. There are no additional permissions applied.
   • User has only the global user-base role and the cluster Cluster Owner membership
2. As option 1, but user gains LIST nodedrivers management.cattle.io permission
   • nodedrivers permission unlocks limited node pool management and cluster options edit cluster section
3. User gains the various required permissions
   • these are to confirm, but roughly node drivers, kontainer drivers, role templates, principals, psp templates, and psac templates

For both options 1 and 2 the UI needs to hide functionality (see list below)

Impact

At a high level

Feature	Option 1 - No Permissions Change	Option 2 - LIST nodedrivers management.cattle.io
Create clusters	:x:	:x:
View cluster	:white_check_mark: (minus node pool type)	:white_check_mark: (minus node pool type)
Manage (view, create, etc) cloud credentials	:x:	:x:
Edit cluster, but only name and, labels and annotations	:white_check_mark:
Edit cluster, but only name, pools (with limitations), labels and annotations and cluster options (minus PSA)		:white_check_mark:

Create Cluster

Feature	Depends on	Option 1 - No Permissions Change	Option 2 - LIST nodedrivers management.cattle.io
Create Cluster	numerous resources	:x: (UI needs to disable)	:x: (UI needs to disable)

View Cluster

Feature	Depends on	Option 1 - No Permissions Change	Option 2 - LIST nodedrivers management.cattle.io
Node Pool list		:white_check_mark:	:white_check_mark:
NPL - View Pool type	management.cattle.io.nodetemplate	:x:	:x:
NPL - Scale Pool		:white_check_mark:	:white_check_mark:

View / Create Cloud Credentials

From the Cluster Management / Cloud Credentials list Feature	Depends on	Option 1 - No Permissions Change	Option 2 - LIST nodedrivers management.cattle.io
List / Create Cloud Credentials	cluster / node drivers	:x: (linked to cluster/node driver) (UI needs to disable)	:x: missing cluster drivers (UI needs to disable)

Edit Cluster

Name, Pools, Member Roles, Labels and Annotations

Cluster Options

Feature	Depends on	Option 1 - No Permissions Change	Option 2 - LIST nodedrivers management.cattle.io
Name		:white_check_mark:	:white_check_mark:
Pools	/v3/nodedriver	:x:	:grey_exclamation: (see below)
P - View / Select / Create node pool template	/v3/nodeTemplates	:x:	User can see id and not name of template. User cannot change or create new template
P - Select / Create cloudCredential	/v3/cloudcredentials, /v3/principals, /v3/nodedriver	:x:	:x:
Member Roles		:x: (UI needs to disable)	:x: Limitations make this unusable (UI needs to disable)
MR - View Name of user/group associated with role	GET /v3/principals, LIST /v3/roletemplates	:x:	:x: Users can see Unknown User and always Custom role
MR - Select user/group to add to role	GET /v3/principals, LIST /v3/roletemplates	:x:	:x: Users cannot see users or groups to assign
MR - Select role to add user/group to	GET /v3/principals, LIST /v3/roletemplates	:x:	:x: Users cannot see roles to assign
Labels and Annotations		:white_check_mark:	:white_check_mark:
Cluster Options	/v3/nodedriver	:x: nodedriver required	:white_check_mark:
CO - Kubernetes Options	Research needed, but should be available	:x:	:white_check_mark:
CO - Private Registry	Research needed, but should be available	:x:	:white_check_mark:
CO - Advanced Options	Pod Security Admission Configuration Template dropdown needs podsecurityadmissionconfigurationtemplates	:x:	:grey_exclamation: Apart from PSA
CO - Authorized Endpoint	Research needed, but should be available	:x:	:white_check_mark:
CO - Cluster Agent Configuration	Research needed, but should be available	:x:	:white_check_mark:
CO - Fleet Agent Configuration	Research needed, but should be available	:x:	:white_check_mark:

Saving a cloudCredential gives the error secrets is forbidden: User "u-zlq8w" cannot create resource "secrets" in API group "" in the namespace "cattle-global-data"

[MKlimuszka]

SURE-5419 Has been closed by the reporter.

[richard-cox]

Marking this as blocked on our side (https://github.com/rancher/dashboard/issues/10787), from that the solution may not be UI related

[gaktive]

@richard-cox do you still need an answer from backend or elsewhere before we tackle this?

[richard-cox]

This one is blocked on our investigation in https://github.com/rancher/dashboard/issues/10787, then whatever happens afterwards (possibly changes all-round)