Cluster Member access shouldn't be allowed to navigate to Edit Cluster page

[izaac]

What kind of request is this (question/bug/enhancement/feature request):
Bug

Steps to reproduce (least amount of steps as possible):

• Install Rancher 2.4 master-head (02/21/2020) commit id: dad5836
• Create a new test user testuser1 in Global -> Security -> Users.
• Create a Custom Cluster, is not necessary to add the nodes. (Cluster will be in Provisioning state).
• Add this testuser1 as Cluster Member and save the cluster.
• Login as testuser1 and Global -> Clusters -> Edit

Result:

The user is able to see the Edit page, but this user is not allowed to edit the cluster (only projects).

Other details that may be helpful:

Environment information

• Rancher version: 2.4 master-head (02/21/2020) commit id: dad5836
• Installation option (single install/HA): single

[izaac]

This is also reproducible in Rancher v2.3.5

[sangeethah]

We should be able to suppress the forbidden error message that shows up in this page , if we are not able to restrict access to "Edit cluster" page.

[vincent99]

This is the lack of "dynamic RBAC" and not new or specific to clusters. The API does not provide the information to know if you can edit or not in advance. #11165

[westlywright]

I can fix the double messages though.

[westlywright]

@sangeethah @izaac I spoke too soon. The error messages you are seeing are valid. Part of creating a custom cluster is getting/creating a cluster token. The first thing the UI does is check for the existence of the token and if we don't have one we create a new one. In this case because of the users permissions they do not have access to the cluster token and we try to create one. Since we dont have dynamic RBAC there is no way for the UI to know that this is a permissions issue and hence hide those messages. Until the UI has dynamic RBAC there is not much we can do about any of this.