cloudstack icon indicating copy to clipboard operation
cloudstack copied to clipboard

Published 20 hours ago verified publisher icon apache

CKS in Advanced Zone with SG: Error Message in CKS Details View

Open MejdiB opened this issue 2 years ago • 7 comments

ISSUE TYPE
  • Bug Report
COMPONENT NAME
Kubernetes, UI
CLOUDSTACK VERSION
4.17.2
Environment
Advanced Zone with Security Groups
SUMMARY

When users create Kubernetes Cluster, an error message appears when they open the CKS Details View: Acct[2d2ceae0-1a9d-48af-9a95-ca7f300138ac-acc1] -- Account {"id": 8, "name": "acc1", "uuid": "2d2ceae0-1a9d-48af-9a95-ca7f300138ac"} does not have permission to operate with resource

image

The error message does not appear when users in Admin Role access the CKS.

MejdiB avatar Jun 23 '23 14:06 MejdiB

@MejdiB with what user role did you deploy k8s cluster?

kiranchavala avatar Jun 27 '23 04:06 kiranchavala

@kiranchavala The errors occurs when I deploy with Role: user

MejdiB avatar Jun 27 '23 12:06 MejdiB

@MejdiB this looks like a lack of configured permissions on the role. You should review the kubernetes' APIs permissions that you have added to the user role you created, some permissions might be missing.

As this doesn't seem like a bug, I'll be removing the 4.18.2.0 milestone

JoaoJandre avatar Jan 08 '24 18:01 JoaoJandre

@JoaoJandre In the cloudstack-management logs, I cannot see which kind of permissions is missing with the output: INFO [c.c.a.ApiServer] (qtp989447607-52785:ctx-ab09fcfc ctx-2a192fbc) (logid:daf59e72) PermissionDenied: Acct[3aa78a55-ddf0-43ab-95da-2668b3f6afae-fgriehle] -- Account {"id": 4, "name": "acc1", "uuid": "3aa78a55-ddf0-43ab-95da-2668b3f6afae"} does not have permission to operate with resource on objs: [] Furthermore, the only thing on the CKS details page that is not shown to the user are the internal names of the CKS instances, but all other information is present to the user as they are for the admin, so the error messages are indeed confusing and seem buggy

MejdiB avatar Jan 08 '24 20:01 MejdiB

@MejdiB I tried to reproduce the error and wasn't able to. I think that the error message should not be more informative, otherwise, we would start leaking information about what exact permissions a given user has.

However, there should be logs that allow the operators to figure out which permissions are missing. I'll re-add the issue to the 4.18.2.0 milestone, hopefully someone will be able to work on this.

JoaoJandre avatar Jan 09 '24 12:01 JoaoJandre

@MejdiB there are several API calls to management server when list the CKS cluster. it would be good to share the list of apis.

weizhouapache avatar Jan 09 '24 13:01 weizhouapache

@JoaoJandre @MejdiB I have created a PR for it

weizhouapache avatar Jan 10 '24 10:01 weizhouapache

fixed in #8489

DaanHoogland avatar Apr 23 '24 13:04 DaanHoogland