Snapshot create/restore and rotate certificate actions not available for a Standard user (RKE1)

[timhaneunsoo]

Setup

• Rancher version: v2.6-head 7efbeab
• Browser type & version: Chrome Version 97.0.4692.99

Describe the bug

The following snapshot related actions are not available for a Std user.

• Take Snapshot
• Restore Snapshot
• Rotate Certificates

To Reproduce

1. Deploy an RKE1 custom cluster
2. Take a few snapshots
3. On the Cluster Management page, find snapshot related actions

Result
On the Cluster Management page, snapshot related actions are not available

• I can access Restore when I navigate to Cluster details --> Snapshot -->Select snapshot --> Restore.

Expected Result

Restore Snapshot should be available to standard user on Cluster Management page

Screenshots

Context

The behavior for the snapshot related actions need to be consistent between standard users and admin

Standard users will be able to access the snapshot related functions as intended

[neillsom]

The issue appears to be that a standard user does not have backupEtcd as an available k8s action

As admin

As standard user

We can bypass the logic to enable a standard user to have the UI 'take snapshot' and 'restore snapshot' functionality, but these will result in a 403 error

Non-admin user attempting to take snapshot

[nwmac]

@neillsom This is labelled in Review, but I don't see a PR for this. If the backend is not proving the backupEtcd action for a standard user, and they should be able to snapshot, then we need a backend fix, so we should open an issue in rancher/rancher.

[timhaneunsoo]

@neillsom For clarification, the standard user is also the cluster owner in this case.

[neillsom]

Rancher/rancher issue rancher/rancher#36757

[gaktive]

Based on rancher/rancher#36757 (comment), the backend appears to be working as designed.

@neillsom can you review @MbolotSuse's comment and see if there is anything else that we need the backend to help out with?

[gaktive]

Backend ticket marked as closed with comments indicating it's working as designed there. @neillsom do you have enough now to work on this?

[nwmac]

I have updated the backend issue and re-opened it - this works for RKE2 but NOT for RKE1

[catherineluse]

Should this be in the v2.6.4 release notes under known issues? Cc @jtravee

[jtravee]

Should this be in the v2.6.4 release notes under known issues? Cc @jtravee

I think it should be. I'll add it to the RN and add the label here as well, thanks!

[gaktive]

Backend may have a fix now. It's in QA's hands so UI may be unblocked. @MbolotSuse is that true?

[gaktive]

@neillsom we're unblocked on this again.

[MbolotSuse]

@gaktive Sorry for not letting you know. We have the fix code available in master. Still needs to go through QA and all though.

[gaktive]

Thanks @MbolotSuse; we'll keep this in Next Up but lower on the stack in case.

[gaktive]

Backend work passed QA yesterday. Not sure if UI has time to get this in for 2.6.5 but we'll see.

[nwmac]

I have validated that given the backend changes, this is now working in the UI - moving to Test for QA to validate and sign-off.

[timhaneunsoo]

timhaneunsoo said: ### Test Environment: ###
Rancher version: v2.6-head 7db4fe4
Rancher cluster type: HA
Docker version: 20.10

Downstream cluster type: EC2 rke1 node driver

---

Testing:

Tested this issue with the following steps:

1. Create rke1 node driver cluster as Standard user

Result - Pass

Standard users are now able to access snapshot related functions as intended on Cluster Management page