Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-56707

Normal user without project could only see parts of roles list.

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • 4.20.0
    • 4.19, 4.20
    • Management Console
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Moderate
    • None
    • None
    • None
    • Proposed
    • Bug Fix
    • Hide
      Before this update, users without a project saw only part of the Roles list because of insufficient role-based access control (RBAC) permissions. This update fixes the access logic. As a result, these users can no longer open the Roles page, keeping sensitive data secure. (link:https://issues.redhat.com/browse/OCPBUGS-56707[OCPBUGS-56707])

      Show
      Before this update, users without a project saw only part of the Roles list because of insufficient role-based access control (RBAC) permissions. This update fixes the access logic. As a result, these users can no longer open the Roles page, keeping sensitive data secure. (link: https://issues.redhat.com/browse/OCPBUGS-56707 [ OCPBUGS-56707 ])
    • None
    • None
    • None
    • None

      Description of problem:

      A normal user without project accessed 'User management'->'Roles' page, could only see parts of roles list.
          

      Version-Release number of selected component (if applicable):

          4.19.0-0.nightly-2025-05-26-074247
          

      How reproducible:

      Always
          

      Steps to Reproduce:

          1.A normal user without project accessed 'User management'->'Roles' page.
          2.
          3.
          

      Actual results:

      1. User could only see parts of roles list and could not scroll down the page.
          

      Expected results:

      1. For user without project, seems no roles should be shown. See output from client:
      [yanpzhan@fedora ~]$ oc get roles.rbac.authorization.k8s.io --all-namespaces
      Error from server (Forbidden): roles.rbac.authorization.k8s.io is forbidden: User "testuser-31" cannot list resource "roles" in API group "rbac.authorization.k8s.io" at the cluster scope
      [yanpzhan@fedora ~]$ oc get roles.authorization.openshift.io --all-namespaces
      Error from server (Forbidden): roles.authorization.openshift.io is forbidden: User "testuser-31" cannot list resource "roles" in API group "authorization.openshift.io" at the cluster scope
      
          

      Additional info:

      
          

              rhn-engineering-rhamilto Robb Hamilton
              rhn-support-yanpzhan Yanping Zhang
              None
              None
              Yanping Zhang Yanping Zhang
              Jocelyn Sese Jocelyn Sese
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: