Uploaded image for project: 'Maistra'
  1. Maistra
  2. MAISTRA-1041

OCP 4.3: non cluster admin user cannot create smcp from OCP console UI

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Done
    • maistra-1.0.2
    • maistra-1.1.x
    • upstream
    • None

    Description

      OCP 4.3 changed the console UI Operators section permission. In previous OCP (OCP 4.1, 4.2) user is able to create a SMCP from console UI after login as a non cluster-admin user. In OCP 4.3 console UI, Installed Operators shows

      Restricted Access
      You don't have access to this section due to cluster policy.

      Error details
      subscriptions.operators.coreos.com is forbidden: User "qe1" cannot list resource "subscriptions" in API group "operators.coreos.com" at the cluster scope

      A non cluster-admin user ("qe1" above) cannot access the OSSM operator UI section. So this blocks a SMCP and SMMR creation from console UI.
      However, we can create a SMCP from CLI when we login as a non cluster-admin user successfully.

      OCP version: https://mirror.openshift.com/pub/openshift-v4/clients/ocp-dev-preview/latest-4.3/openshift-install-linux-4.3.0-0.nightly-*.tar.gz
      OSSM version: 1.0.3
      Environment: OCP 4.3 on AWS

      non cluster-admin user creation step:
      $ htpasswd -c -B -b users.htpasswd qe1 "${QE1_PWD:-qe1pw}"
      $ oc -n openshift-config create secret generic htpass-secret --from-file=htpasswd=users.htpasswd
      $ oc apply -f <(cat <<EOF
      apiVersion: config.openshift.io/v1
      kind: OAuth
      metadata:
      name: cluster
      spec:
      identityProviders:

      • name: my_htpasswd_provider
        mappingMethod: claim
        type: HTPasswd
        htpasswd:
        fileData:
        name: htpass-secret
        EOF
        )

      Attachments

        Issue Links

          Activity

            People

              yuaxu@redhat.com Yuanlin Xu
              yuaxu@redhat.com Yuanlin Xu
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: