You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the members section, attempt to assign a user the Read-only role
Actual result:
you'll get an error message that says
Validation failed in API: Cannot edit context [project] from [cluster] context
Note that the cluster will actually get created, just that member won't get assigned.
Expected result:
Should be able to successfully create the cluster
More notes:
This is because the role that is being used for read-only is actually a project scoped role (it shows up on the Projects tab of the roles page and if you view it in the api, you can see that scope = "project"). In a recent release, we added validation to prevent using a project scoped role for cluster memberships (and vice versa).
So, the UI should not be presenting this role on this page (it is not presented on the stand-alone cluster members page).
But we might also want to consider adding a new "Cluster read-only" role. The question is what should a cluster read-only role actually do?
Should you be able to see every workload in every namespace with it? If so, it would actually have MORE viewing permissions than a normal Cluster member. Should it just be able to see a few things like members, projects, and nodes? I am not sure one-size is going to fit all here and we might want to leave this to the user to define by creating their own custom cluster role.
Version:
v2.2.8
gzrancher/rancher#6196
The text was updated successfully, but these errors were encountered:
cjellick
added
the
kind/bug
Issues that are defects reported by users or that we know have reached a real release
label
Sep 24, 2019
Steps to reproduce:
Actual result:
you'll get an error message that says
Note that the cluster will actually get created, just that member won't get assigned.
Expected result:
Should be able to successfully create the cluster
More notes:
This is because the role that is being used for read-only is actually a project scoped role (it shows up on the Projects tab of the roles page and if you view it in the api, you can see that scope = "project"). In a recent release, we added validation to prevent using a project scoped role for cluster memberships (and vice versa).
So, the UI should not be presenting this role on this page (it is not presented on the stand-alone cluster members page).
But we might also want to consider adding a new "Cluster read-only" role. The question is what should a cluster read-only role actually do?
Should you be able to see every workload in every namespace with it? If so, it would actually have MORE viewing permissions than a normal Cluster member. Should it just be able to see a few things like members, projects, and nodes? I am not sure one-size is going to fit all here and we might want to leave this to the user to define by creating their own custom cluster role.
Version:
v2.2.8
gzrancher/rancher#6196
The text was updated successfully, but these errors were encountered: