Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-26093

Search - cluster-admin RBAC check should check * verbs instead of list only

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • False
    • Important
    • None

      Description of problem:

      Search has an RBAC check for cluster-admin equivalent permissions:

      https://github.com/stolostron/search-v2-api/blob/bf6b202dfe3439dadf1579309d6c5f484ca4b423/pkg/resolver/rbacHelper.go#L18-L22

      However it is only checking for list permissions:

      https://github.com/stolostron/search-v2-api/blob/bf6b202dfe3439dadf1579309d6c5f484ca4b423/pkg/rbac/userData.go#L150-L159

      It is debatable whether this is how it should work or not. If the goal is to check for cluster-admin specifically, then the check should be like this:

      oc auth can-i '*' '*' -A

      While cluster-admin will have list permissions, the question is whether we should consider someone who has oc auth can-i 'list' -A permissions a cluster-admin and show them all resources on hub + managed clusters. If we only check list, we are verifying they can see everything on the hub, but we don’t know for sure they have access to the managed clusters. If a user only has list, then they would not have permission to create managedclusterviews.

      Version-Release number of selected component (if applicable):

      How reproducible:

      Steps to Reproduce:

      1.  
      2.  
      3. ...

      Actual results:

      Expected results:

      Additional info:

              jpadilla@redhat.com Jorge Padilla
              rh-ee-mshort Matthew Short
              Atif Shafi Atif Shafi
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: