In role creation form, group resources by API group and scope

[jtravee]

Per customer feedback in docs issue #2698. @gaktive

Reference: Rancher Resource dropdown under Project Role.

Per feedback from @cbron and @catherineluse, please filter out deprecated resources, group related items, and/or provide guidance within the UI for anything ambiguous. Docs can annotate what the resources are and what the source is, but based on feedback, the greater concern is making sure users understand what accesses they should be granting under these.

The 2.6.x equivalent is:

gz#12301
SURE-2434

[catherineluse]

Specifically, at least kuberneteses should be removed because it comes from the deprecated v1 Istio.

For project roles, all the cluster management/Norman resources should be filtered out, because a project role shouldn't need anything at the global scope.

[catherineluse]

QA Template

Root cause

The group of resources was a flat list which placed the burden on the user to go and google the resource or look up documentation if they wanted to find out the API group that corresponded to a certain resource.

What was fixed, or what changes have occurred

The resource list is no longer flat. It has been replaced with a nested object that has global, cluster and namespace scopes, and inside each scope it has each API group in that scope, and inside each API group are the resources that go inside the group.

The UI now uses that nested structure to figure out whether to show global or cluster scoped resources in the role creation forms, and it also uses that nested structure to figure out which API group should be auto-populated when you select a resource.

Areas or cases that should be tested

To test that the resources are grouped by their API group,

1. Go to Users & Authentication > Roles
2. Go to create a role of any scope - global, cluster, or project - and select a resource from the resource dropdown.
3. Confirm that API groups are included in the dropdown menu but they are unselectable. Note that some resources are intentionally duplicated in the list, such as Clusters, which appears under multiple API groups - but when you click Clusters, the API group that gets auto-populated depends on which heading the resource was under.

For verifying the scope, there are five forms to look at.

1. Global role creation form

This is at Users & Authentication > Roles > Global > Create Global Role. It should have global, cluster and project scoped resources.
- The resources list contains global stuff, such as the fleet.cattle.io and management.cattle.io API groups
- It also has cluster scoped stuff, such as the rbac.authorization.k8s.io and storage.k8s.io API groups
- it also has namespaced stuff, such as the monitoring.coreos.comand logging.banzaicloud.io API groups

2. Cluster role creation form

This is at Users & Authentication > Roles > Cluster > Create Cluster Role.

The resources options there should have cluster- and namespace-scoped resources, but no global resources.

3. Project role creation form

This is at Users & Authentication > Roles > Project/Namespaces > Create Project/Namespace Role.

The resources options there should have only namespace-scoped resources, no cluster or global resources.

4. Kubernetes Role resource creation form

This is at Cluster Explorer > More Resources > RBAC > Roles.

The resources options there should have only namespace-scoped resources, no cluster or global resources.

5. Kubernetes ClusterRole resource creation form

This is at Cluster Explorer > More Resources > RBAC > ClusterRoles.

The resources options there should have cluster- and namespace-scoped resources, no global resources.

What areas could experience regressions?

Editing/creating roles, role detail pages

Are the repro steps accurate/minimal?

This is more of an enhancement, so there aren't repro steps.

[jtravee]

Confirmed with @catherineluse and @gaktive to add release note label.

[brudnak]

✅ PASSED

Reproduction Environment

Not required.

---

Validation Environment

Component	Version / Type
Rancher version	2.6.4-rc9
Installation option	Helm high availability
If Helm Chart k8s cluster	RKE v1.22.6
Cert Details	ingress.tls.source=secret (certificates from files)
Docker version	20.10.7, build f0df350
Helm version	v2.16.8-rancher1
Downstream cluster type	RKE1 Linode
Downstream K8s version	v1.23.4-rancher1-1
Logged in user role	Admin user
Browser type	Google Chrome
Browser version	99.0.4844.51 (Official Build) (x86_64)

Validation steps

Global role creation form

1. Starting from the default Rancher homepage /dashboard/home
2. Click hamburger menu -> Users & Authentication -> Roles -> Global -> Create Global Role
3. Verify the Resource drop down is filtered into appropriate groups
   • Global scoped
   • Cluster scoped
   • Namespace scoped

Additional Info

RESULTS

✅ Expected

Expect for this drop down to be grouped in a logical order

✅Actual

The drop down is grouped in a logical order

Additional Tests

Test	Steps	Expected	Actual	Pass/Fail
Cluster role creation form	Users & Authentication > Roles > Cluster > Create Cluster Role	Roles to be grouped & appropriate	Grouping accurate and scoped	✅
Project role creation form	Users & Authentication > Roles > Project/Namespaces > Create Project/Namespace Role.	Roles to be grouped & appropriate	Grouping accurate and scoped	✅
Kubernetes Role resource creation form	Cluster Explorer > More Resources > RBAC > Roles	Roles to be grouped & appropriate	Grouping accurate and scoped	✅
Kubernetes ClusterRole resource creation form	Cluster Explorer > More Resources > RBAC > ClusterRoles	Roles to be grouped & appropriate	Grouping accurate and scoped	✅