Cannot assign the read-only role to a member on the cluster creation page

[cjellick]

Steps to reproduce:

1. Go to cluster creation page
2. In the members section, attempt to assign a user the Read-only role

Actual result:
you'll get an error message that says

Validation failed in API: Cannot edit context [project] from [cluster] context

Note that the cluster will actually get created, just that member won't get assigned.

Expected result:
Should be able to successfully create the cluster

More notes:
This is because the role that is being used for read-only is actually a project scoped role (it shows up on the Projects tab of the roles page and if you view it in the api, you can see that scope = "project"). In a recent release, we added validation to prevent using a project scoped role for cluster memberships (and vice versa).

So, the UI should not be presenting this role on this page (it is not presented on the stand-alone cluster members page).

But we might also want to consider adding a new "Cluster read-only" role. The question is what should a cluster read-only role actually do?
Should you be able to see every workload in every namespace with it? If so, it would actually have MORE viewing permissions than a normal Cluster member. Should it just be able to see a few things like members, projects, and nodes? I am not sure one-size is going to fit all here and we might want to leave this to the user to define by creating their own custom cluster role.

Version:
v2.2.8

gzrancher/rancher#6196

[cjellick]

Update: already addressed in v2.3.0 by removing read-only from the dropdown

[maggieliu]

@sangeethah can we confirm if this is fixed in 2.4?

[jiaqiluo]

the bug fix is validated in v2.4-3786-head

It confirmes that no project-level role in the dropdown list when creating the cluster.

And we can assign a user with a custom role when creating the cluster, and the cluster is created successfully.