Uploaded image for project: 'OpenShift Virtualization'
  1. OpenShift Virtualization
  2. CNV-40419

Button "Customize VirtualMachine" disabled due to processedtemplate permission

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Undefined Undefined
    • CNV v4.16.0
    • None
    • CNV User Interface
    • None
    • 0.42
    • False
    • Hide

      None

      Show
      None
    • False
    • ---
    • ---
    • No

      We are using OCP 4.14.11 along with OpenShift Virtualization 4.14.4.

      We logged into OpenShift web console using a user with customized RBAC access rights. We went to Virtualization -> Catalog and clicked on Fedora VM template. In the dialog that opened up, the "Customize VirtualMachine" button was disabled (grayed out). It took us some investigation to figure out why the button was disabled while all other OpenShift Virtualization functionality worked normally.

      It turned out that the state of the "Customize VirtualMachine" button is determined by the result of an selfsubjectaccessreview request. This request checks that the user is allowed to create a processedtemplate resource.

      There are two processedtemplates resources in the OpenShift API:

      1. The original processedtemplates that is part of core API group "".
      2. The successor processedtemplates that is part of the template.openshift.io API group.

      Unfortunately, the selfsubjectaccessreview that determines the state of the "Customize VirtualMachine" button checks the processedtemplates in the core API group while other code in OpenShift Virtualization console plugin uses the processedtemplates from the template.openshift.io group. This led to a confusion for us. See the three screenshots attached below.

      In the customize_virtualmachine_1.png screenshot, if a user tries to instantiate a template, the error "processedtemplates.template.openshift.io is forbidden" is displayed.

      We assigned the user a clusterrole like this one to resolve the issue:

      apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: example-1
rules:
- apiGroups:
  - template.openshift.io
  resources:
  - processedtemplates
  verbs:
  - create

      After assigning the clusterrole, the message disappeared but the "Customize VirtualMachine" remained disabled. See the screenshot customize_virtualmachine_2.png.

      After a longer investigation, we finally figured out how to fix the button. We had to assign the user the following clusterrole:

      apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: example-1
rules:
- apiGroups:
  - ''
  resources:
  - processedtemplates
  verbs:
  - create

      The screenshot customize_virtualmachine_3.png, shows the fixed "Customize VirtualMachine" button.

      It seems to me this issue could be fixed by changing the selfsubjectaccessreview request to include the group template.openshift.io. The request sent by the OpenShift Virtualization plugin shown in  customize_virtualmachine_1.png would change to:

      {
  "apiVersion": "authorization.k8s.io/v1",
  "kind": "SelfSubjectAccessReview",
  "spec": {
    "resourceAttributes": {
      "namespace": "default",
      "resource": "processedtemplates",
      "verb": "create",
      "group": "template.openshift.io"
    }
  }
}

       

        1. lack_permission_processTemplate.png
          lack_permission_processTemplate.png
          237 kB

            upalatuc@redhat.com Ugo Palatucci
            anosek@redhat.com Ales Nosek
            Guohua Ouyang Guohua Ouyang
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: