DYNAMIC RBAC User added to a cluster with "manage-cluster-members" is not able to modify users of the cluster.

[sangeethah]

Rancher versions: v2.0 built on jan23

Steps to reproduce the problem:
Create a cluster c1.
Create a project P1.
Add "user1" with "manage-cluster-member" option.

Log in as user1.
Try to edit cluster c1 and add a new user to the cluster.

This fails with

clusters.management.cattle.io "cluster-xr7k6" is forbidden: User "user-c85lg" cannot update clusters.management.cattle.io at the cluster scope

The request made by UI is edit cluster for which the user does not have access to fails:

Request URL:https://***/v3/clusters/cluster-xr7k6
Request Method:PUT
Status Code:403 Forbidden
Remote Address:*:443

We should be able to decouple the edit cluster action and add/edit member to cluster action.

[westlywright]

@sangeethah i think this should be an API issue. If we want to change the way a role functions I don't think that should be happening on the front end and this seems to be a permission error coming from the API not the UI.

cc @deniseschannon

[cjellick]

@westlywright to be clear, the role does exactly what it states: gives the permission to CRUD members of the cluster (POST/PUT/DELETE CRTBs). But the UI throws in a PUT to the cluster to update the name/description which has nothing to do with managing members and that is failing. Looks like this will be addressed as part of dynamic RBAC, wherein the API will remove the update link from the cluster and the UI will key off of its presence/absence to do the PUT.

More details here:
#11105

Will keep the discussion thread in that issue

[deniseschannon]

If you update the members from the members tab of a cluster, you will be able to manage cluster membership. The reason why it doesn't work in "Edit Cluster" is because you are trying to also edit the cluster, which you don't have permissions.

[deniseschannon]

When confirming that this use case is working, we should also test CLI to ensure that this use case in this issue is also fixed: #12892