Possible bug in core userCanUseNamespace

weaveworks / weave-gitops-enterprise

This repo provides the enterprise level features for the weave-gitops product, including CAPI cluster creation and team workspaces.

https://docs.gitops.weave.works/

Apache License 2.0

160 stars 29 forks source link

Possible bug in core userCanUseNamespace #907

Open foot opened 2 years ago

foot commented 2 years ago

After #905 was merged into main, and after logging in as wego-admin to demo-01. Navigating to Applications failed, citing wego-admin not having permissions to list helm-releases in the default namespace.

wego-admin doesn't have much access to default, it had a cluster-role-bindings for:

With the new bit on the end (events) which seems to have broken things...

foot commented 2 years ago

cc @luizbafilho @jpellizzari does this make sense? It was just surprising is all it might be working as intended. I understand you should have all the permissions there.

We can try and repro it properly, as there might have been some permission polution on demo-01...

install core w/ no-clusterrolebindings
create namespace foo
give admin: get,watch,list events in foo
? maybe see an error ?

jpellizzari commented 2 years ago

@foot If you are requesting a resource specifically, it might error out if you don't have permissions for that NS.

If it is a list, it should just skip the namespace. For a user to have "access" to a NS, they need a role that (minimally) matches this:

https://github.com/weaveworks/weave-gitops/blob/c91a4ab50b753a4e1109b1dfc93d3fe61cad4e93/core/nsaccess/nsaccess.go#L19

LappleApple commented 1 year ago

Still relevant/something we want to keep open?

jpellizzari commented 1 year ago

Still relevant/something we want to keep open?

@foot Is this still an issue?