Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-3640

Regular Users Can't Create Apps in ACM GUI Without Subscription-Admin RoleBinding

XMLWordPrintable

    • False
    • None
    • False
    • Moderate
    • Customer Facing
    • No

      Description of problem:

      Regular user in OCP can't create the namespace based resource or channel related to deploying an app using the GUI in ACM.  The only way around this is to give subscription-admin clusterrolebinding.  The issue with this is that the regular user can see all applications deployed to cluster and even make changes to them.

      Version-Release number of selected component (if applicable):

      OCP 4.11.25 ACM 2.7

      How reproducible:

      Try to create an application in ACM gui as regular user without subscription-admin clusterrolebinding

      Steps to Reproduce:

      1. On my hub cluster, I created a user called ocpuser who is an admin in the ocpproject namespace

      1. I also added the clusterrolebinding open-cluster-management:admin:local-cluster to local-cluster (which is my hub)

      1. I login to the OCP console and go to ACM --> Applications.  I attempt to deploy a Git-based application in the ocpproject namespace.

      Actual results:

      I get the following error  (You are not authorized to complete this action. See your cluster administrator for role-based access control information.)

      When doing on command-line (using YAML from GUI), the following messages appear

      [root@bd-hop ~]# oc create -f test.yaml
      application.app.k8s.io/drivetester created
      subscription.apps.open-cluster-management.io/drivetester-subscription-1 created
      placementrule.apps.open-cluster-management.io/drivetester-placement-1 created
      Error from server (Forbidden): error when creating "test.yaml": namespaces is forbidden: User "ocpuser" cannot create resource "namespaces" in API group "" at the cluster scope
      Error from server (Forbidden): error when creating "test.yaml": channels.apps.open-cluster-management.io is forbidden: User "ocpuser" cannot create resource "channels" in API group "apps.open-cluster-management.io" in the namespace "ggithubcom-kcalliga-drivetester-ns"

      Expected results:

      I would expect to be able to create all the resources needed for deploying an application as a regular user, but don't want to give this user all privileges (which subscription-admin does).

      Additional info:

        1. Screenshot 2023-03-03 at 10.31.40 AM.png
          Screenshot 2023-03-03 at 10.31.40 AM.png
          126 kB
        2. Screenshot 2023-03-03 at 10.52.00 AM.png
          Screenshot 2023-03-03 at 10.52.00 AM.png
          210 kB

              magchen@redhat.com Maggie Chen
              kcalliga@redhat.com Keith Calligan
              Ishmam Amin Ishmam Amin
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: