Actions that cannot be performed by a Cluster member are available on an RKE1 cluster in a rancher setup when RKE2 flag is disabled #35828
Comments
|
Pushing out a version based on time. @sowmyav27 was it all actions or any specific ones? |
|
Another link to hide, should be simple. |
|
My checks FAILED Reproduction Environment: Rancher version: v2.6.0 and also tried v2.6-b43e4d955c8fdbb85bbbba1962937b0abbdf4a09-head image Downstream cluster type: rke1 Reproduction steps:
Additionally, if I tried to force UI assets to only use "Local" instead of "Dynamic" I could not see the "Take Snapshot" action as a cluster member. I could only also see the "Take Snapshot" action if I created a new user and gave them the "Cluster Owner" role, not cluster member. Still -- we can check to confirm that we can no longer see the "Download Kubeconfig" option as a cluster member when I validate. Validation Environment: Rancher version: v2.6-head Downstream cluster type: rke1 Validation steps:
At first I thought this might be some strange browser caching issue or something. I tried to refresh my incognito browser and I still see all these actions as a cluster member (more than before the change). I then completely closed out my incognito browser and opened it again, logged in as the standard user (cluster member) and still saw the same result. |
|
@davidnuzik What actions are you expecting to see with each user type? For:
If the visibility of these 2 is the issue, then we will need to transfer this to the backend team to ensure the action metadata is correctly provided for the given user/cluster. |
|
@sowmyav27 Is there someone who can answer the question on this issue? |
|
@nwmac Here is a comparison if this helps. We should see this (RKE2 feature flag enabled (default) or not actually based on my tests -- I don't think the feature flag matters) But instead, we see this on RKE1 clusters, however members do not have permission to take snapshots (and restore snapshots) and rotate certs. Snapshot commands and rotating certs should not be shown on RKE1 clusters in the Vue UI when the user is a cluster member. |
|
@davidnuzik I've checked the UI code - for snapshots, we check for the action I will transfer to rancher/rancher for the backend team to have a look to ensure that the actions are returned correctly based on the user's permissions. |
Jono-SUSE-Rancher
added
[zube]: Team Area 2
team/hostbusters
|
It's possible that controller(s) that should be tied to V2 provisioning flag are controlled by RKE2 flag instead. We may need to switch which flag enables these controllers. |
snasovich
removed
the
release-note
|
I reproduced this on a local single node DO RKE1 cluster, with the RKE2 flag both enabled and disabled. Both times I saw the PR in with fix #35963. |
Testing templateRoot causeA standard cluster member on an RKE1 cluster was seeing options reserved for a cluster admin because the logic in the Norman API on what actions to make permissible to a user was incorrect. What was fixed, or what changes have occurred
Areas or cases that should be tested
What areas could experience regressions ?Rancher UI actions list for an RKE1 cluster if logic is overwritten. Are the repro steps accurate/minimal ?Yes. |
|
Reproduction Setup
Reproduction Steps
Result The actions available in the dropdown are not the permissible actions of a standard user. **Setup For Validation **
Results The correct actions are available. Screenshot Reproduction Screenshot: Validation Screenshot: |
On 2.6-head commit id:
b43e4d9Actions that cannot be performed by a Cluster member are available on an RKE1 cluster in a rancher setup when RKE2 flag is disabled
The text was updated successfully, but these errors were encountered: