open-edge-platform
[BUG-NOK] Orchestrator - User Management - Roles / Groups - to be able to disable "Download Kubeconfig" / "Copy Kubeconfig" for some users
Bug Description
Under the Home -> Infrastructure -> Clusters, try accessing the hamburger icon(Actions icons) [AND] select an existing cluster - try clicking on "Cluster Actions"
There is an use case to disable the hamburger icon(Actions icons) [AND] "Cluster Actions" drop down itself for an User. Thereby hindering the user from performing operations like "Download Kubeconfig" / "Copy Kubeconfig"
The following were tried,
assigning READ only Roles to the User removing Group _UID*****___Edge-Manager-Group from the User
however that User is able to interact with "Cluster Actions" drop down especially make use of "Download Kubeconfig" / "Copy Kubeconfig" options.
Please let know if a custom Role can be created and assigned to an User such that these both remain inaccessible.
System Setup
Orchestrator v3.1.3
Reproducible Steps
Under the Home -> Infrastructure -> Clusters, try accessing the hamburger icon(Actions icons) [AND] select an existing cluster - try clicking on "Cluster Actions"
Root Cause Analysis
No response
Roles cannot be subtractive, they are addititive. You would need to create a custom Group excluding the role (permissions) you wish to exclude from that user class. In the case of Edge Manager Group the roles are detailed here: https://docs.openedgeplatform.intel.com/edge-manage-docs/dev/shared/shared_iam_groups.html#project-id-edge-manager-group
I believe you should be able to create a custom Group that does not include the project-id_cl-rw.
yes, that method with removal of project-id_cl-rw role was tried. below are the results,
while this method has disabled "Edit" / "Delete" operations it still provides access to "Download Kubeconfig" / "Copy Kubeconfig"
please let us know if access to "Download Kubeconfig" / "Copy Kubeconfig" can be disabled too.
while going through the following code
link: https://github.com/open-edge-platform/orch-ui/blob/cf385db7e0c04f72934d908631fb25043d830197/apps/cluster-orch/src/components/pages/ClusterDetail/ClusterDetail.tsx#L210
an alternate method occurred;
please comment if the following proposal is feasible,
- In Keycloak, create a custom Role named NO_KUBECONFIG and assign it to the intended user
- In code alter the following(lines 225, 232) to include Role checks(checkAuthAndRole) and disable "Download Kubeconfig" & "Copy Kubeconfig"
const popupOptions: PopupOption[] = [
{
displayText: "Edit",
disable: !checkAuthAndRole([Role.CLUSTERS_WRITE]),
onSelect: () => {
if (clusterDetail.name)
navigate(clusterEditRoute, { clusterName: clusterDetail.name });
},
},
{
displayText: "Delete",
disable: !checkAuthAndRole([Role.CLUSTERS_WRITE]),
onSelect: async () => {
setIsDeleteModalOpen(true);
},
},
{
displayText: "Download Kubeconfig",
disable: isKubeconfigLoading || !checkAuthAndRole([Role.NO_KUBECONFIG]),
onSelect: () => {
downloadFile(kubeconfig?.kubeconfig ?? "");
},
},
{
displayText: "Copy Kubeconfig",
disable: isKubeconfigLoading || !checkAuthAndRole([Role.NO_KUBECONFIG]),
onSelect: () => {
copyToClipboard(
kubeconfig?.kubeconfig ?? "",
() =>
setToast((p) => ({
...p,
state: ToastState.Success,
message: "Copied Kubeconfig to clipboard successfully",
visibility: ToastVisibility.Show,
})),
() =>
setToast((p) => ({
...p,
state: ToastState.Danger,
message: "Failed to copy Kubeconfig to clipboard",
visibility: ToastVisibility.Show,
})),
);
},
},
];
PLEASE NOTE: the above are just proposals and not the actual code changes to be done.
We will research this, it does appear that there is a bug if users without cluster access are still able to download the kubeconfig and bypass the restrictions.
Let me clarify the current behavior and available options. Cluster Orchestration currently supports two cluster-related roles (actually four including cluster template operations, but let's ignore them here):
- Cluster Read-Only (
cl-r): Allows viewing clusters and downloading/copying kubeconfig - Cluster Read/Write (
cl-rw): Full cluster management permissions including create/delete operations and and downloading/copying kubeconfig
The ability to download/copy kubeconfig with the cl-r role is intentional and by design. This role structure was implemented to support two primary user personas (see descriptions of Edge Manager and Edge Operator group here https://docs.openedgeplatform.intel.com/edge-manage-docs/dev/shared/shared_iam_groups.html#groups:
- Edge Manager (
cl-rwrole): Full cluster management capabilities including creation, deletion, and debugging edge clusters - Edge Operator/User (
cl-rrole): Access to view and connect to existing edge clusters via kubeconfig
Based on your description, your test user likely still has the cl-r role assigned (either directly or through group membership), which explains why they can view the cluster list and access kubeconfig download options.
If you want a role that doesn't have visibility to entire clusters, try to remove cl-r role as well from your custom group. Or if you need a role that allows cluster visibility without kubeconfig access, this would require a new role type to be developed and should be a new feature request.
please note the following is preferred,
Or if you need a role that allows cluster visibility without kubeconfig access, this would require a new role type to be developed and should be a new feature request.
kindly note this was intent of raising this ticket,
Bug Description
There is an use case to disable the hamburger icon(Actions icons) [AND] "Cluster Actions" drop down itself for an User. Thereby hindering the user from performing operations like "Download Kubeconfig" / "Copy Kubeconfig"