Open gaktive opened 11 months ago
Internal reference: SURE-5419
As noted in the original ticket, some coordination is required with @pmatseykanets & @tomleb since we need to understand a bit more of what's going with these verbs across various models.
This is currently mostly in Ember but some migration is underway for AKS to Vue so @mantis-toboggan-md & @eva-vashkevich should be part of the conversation.
I'm not 100% sure it's practical for a cluster owner to not see nodetemplates, they're kind of core to managing nodes in rke1.
We also need to consider other places these resources are used, like in the cluster details page, home page, etc
@pmatseykanets could you provide more information on the new expectations of the cluster owner role?
@richard-cox We don't want to add any additional permissions to the base role, as it meant to have the minimal possible privileges. We would like to change the UI to render and allow to edit as much as possible of the cluster configuration with the given permissions.
@pmatseykanets Thanks. We're confirming in https://github.com/rancher/rancher/issues/40581 if this is a possible request (cluster owners will not be able to manage node or node pools)
I closed the backend ticket (https://github.com/rancher/rancher/issues/40581) in favor of this one.
I've tried to bring everything together here
I've created a user, as per above, and see the following for collection permissions and resource count when fetched
The user is an owner of an RKE1 cluster
Url | Test User | Admin |
---|---|---|
/v3/schemas/nodetemplate | POST, GET (0 resource) | POST, GET (2 resource) |
/v1/schemas/management.cattle.io.nodetemplate | 404 (404) | GET, blocked-POST (2 resource) |
/v3/schemas/nodedriver | POST, GET (0 resource) | POST, GET (21 resource) |
/v1/schemas/management.cattle.io.nodedriver | 404 (404) | GET, blocked-POST (21 resource)s |
/v3/schemas/nodes | POST, GET (3 resource) | POST, GET (4 resource) |
/v1/management.cattle.io.node | GET, blocked-POST (3 resource) | GET, blocked-POST (4 resource) |
/v3/schemas/nodepool | POST, GET (1 resource) | POST, GET (1 resource) |
/v1/schemas/management.cattle.io.nodepool | GET, blocked-POST (0 resource) | GET, blocked-POST (1 resource) |
/v3/schemas/principal | GET (0 resource) | GET (0 resource) |
/v3/cloudcredentials | n/a (0 resource) | n/a (1 resource) |
/v3/schemas/roleTemplates | 404 (0 resources) | 404 (42 resources) |
/v3/kontainerdrivers | n/a (0 resource) | n/a (11 resource) |
/v1/schemas/management.cattle.io.kontainerdrivers | 404 (404) | GET, blocked-POST (11 resource) |
In addition | ||
/v3/principals/local%3A%2F%2Fuser-xglvs | 200 - null response | 200 - populated response |
/v3/principals/local%3A%2F%2Fu-q7z6d | 200 - null response | 200 - populated response (this is the principal of the test user - they cannot fech themselves) |
I then added the user to a global role that had get, list on nodedrivers. This revealed the whole edit cluster config. Some parts were broken, like node template name and the membership section
There is a LOT going on here
@pmatseykanets & @MKlimuszka if we're tracking everything here, can someone answer @richard-cox's latest questions? My fear is that momentum will get lost without any assignees on this from backend.
@richard-cox
What should the user be able to change when editing a cluster when they have no access to nodedriver or user based resources
Should resources like node driver be available (schema is available, requests return an empty result set) when the user does not have permissions for them?
Such users should be able to see/access v3 management cluster object but not independent objects like node templates that may affect other clusters.
@pmatseykanets Sorry, maybe there was a phrasing issue
What ~should the user be able to~ can the user change when editing a cluster when they have no access to ~nodedriver or user based resources~ resources given the permissions above.
Will the PUT request we make to /v3/clusters succeed, is there anything that will fail given potentially missing information in the API request? I've had a quick look but i'm not an expert there. Visually we have sections for
Just looking for some confirmation, otherwise it's trial and error.
Should resources like node driver be available (schema is available, requests return an empty result set) when the user does not have permissions for them?
In order to hide the section above we would need to know the permissions, via Norman, of resources the user cannot access. It looks like though norman returns a schema for them and empty lists when requested, rather than missing schema's indicating the user does not have the permission to see them. Was this done intentionally? Is there a way to work out if the user cannot see node templates, principals, etc
Will the PUT request we make to /v3/clusters succeed, is there anything that will fail given potentially missing information in the API request?
The request to update the cluster object should succeed for the cluster owner.
user-base
role and the cluster Cluster Owner
membershipFor both options 1 and 2 the UI needs to hide functionality (see list below)
At a high level
Feature | Option 1 - No Permissions Change | Option 2 - LIST nodedrivers management.cattle.io |
---|---|---|
Create clusters | :x: | :x: |
View cluster | :white_check_mark: (minus node pool type) | :white_check_mark: (minus node pool type) |
Manage (view, create, etc) cloud credentials | :x: | :x: |
Edit cluster, but only name and, labels and annotations | :white_check_mark: | |
Edit cluster, but only name, pools (with limitations), labels and annotations and cluster options (minus PSA) | :white_check_mark: |
Feature | Depends on | Option 1 - No Permissions Change | Option 2 - LIST nodedrivers management.cattle.io |
---|---|---|---|
Create Cluster | numerous resources | :x: (UI needs to disable) | :x: (UI needs to disable) |
Feature | Depends on | Option 1 - No Permissions Change | Option 2 - LIST nodedrivers management.cattle.io |
---|---|---|---|
Node Pool list | :white_check_mark: | :white_check_mark: | |
NPL - View Pool type | management.cattle.io.nodetemplate | :x: | :x: |
NPL - Scale Pool | :white_check_mark: | :white_check_mark: |
From the Cluster Management / Cloud Credentials list Feature | Depends on | Option 1 - No Permissions Change | Option 2 - LIST nodedrivers management.cattle.io |
---|---|---|---|
List / Create Cloud Credentials | cluster / node drivers | :x: (linked to cluster/node driver) (UI needs to disable) | :x: missing cluster drivers (UI needs to disable) |
Name, Pools, Member Roles, Labels and Annotations
Cluster Options
Feature | Depends on | Option 1 - No Permissions Change | Option 2 - LIST nodedrivers management.cattle.io |
---|---|---|---|
Name | :white_check_mark: | :white_check_mark: | |
Pools | /v3/nodedriver |
:x: | :grey_exclamation: (see below) |
P - View / Select / Create node pool template | /v3/nodeTemplates |
:x: | User can see id and not name of template. User cannot change or create new template |
P - Select / Create cloudCredential | /v3/cloudcredentials , /v3/principals , /v3/nodedriver |
:x: | :x: |
Member Roles | :x: (UI needs to disable) | :x: Limitations make this unusable (UI needs to disable) | |
MR - View Name of user/group associated with role | GET /v3/principals, LIST /v3/roletemplates | :x: | :x: Users can see Unknown User and always Custom role |
MR - Select user/group to add to role | GET /v3/principals, LIST /v3/roletemplates | :x: | :x: Users cannot see users or groups to assign |
MR - Select role to add user/group to | GET /v3/principals, LIST /v3/roletemplates | :x: | :x: Users cannot see roles to assign |
Labels and Annotations | :white_check_mark: | :white_check_mark: | |
Cluster Options | /v3/nodedriver | :x: nodedriver required | :white_check_mark: |
CO - Kubernetes Options | Research needed, but should be available | :x: | :white_check_mark: |
CO - Private Registry | Research needed, but should be available | :x: | :white_check_mark: |
CO - Advanced Options | Pod Security Admission Configuration Template dropdown needs podsecurityadmissionconfigurationtemplates | :x: | :grey_exclamation: Apart from PSA |
CO - Authorized Endpoint | Research needed, but should be available | :x: | :white_check_mark: |
CO - Cluster Agent Configuration | Research needed, but should be available | :x: | :white_check_mark: |
CO - Fleet Agent Configuration | Research needed, but should be available | :x: | :white_check_mark: |
Saving a cloudCredential gives the error
secrets is forbidden: User "u-zlq8w" cannot create resource "secrets" in API group "" in the namespace "cattle-global-data"
SURE-5419 Has been closed by the reporter.
Marking this as blocked on our side (https://github.com/rancher/dashboard/issues/10787), from that the solution may not be UI related
@richard-cox do you still need an answer from backend or elsewhere before we tackle this?
This one is blocked on our investigation in https://github.com/rancher/dashboard/issues/10787, then whatever happens afterwards (possibly changes all-round)
Overall, it seems reasonable for the cluster owner to be able to edit the cluster configuration even if they are only a member of
user-base
global group.As it (the UI) is today in order to properly render the Edit config UI we need the
user-base
role to have at leastget
andlist
permissions fornodetemplates
and potentially other resources (nodedrivers, etc).We don't want to add additional permissions to the user-base global role as it meant to have minimal possible privileges.
Instead, we would like to change the UI to render and allow to edit as much as possible of the cluster configuration with the given permissions.
Originally posted by @pmatseykanets in https://github.com/rancher/rancher/issues/40581#issuecomment-1724412413