rancher
Resources Unavailable on Monitoring page after upgrade to 2.7.5
Internal ref: SURE-6700
Setup
- Rancher version: 2.7.5
- Rancher UI Extensions:
- Browser type & version:
Describe the bug
Users with 'View-Monitoring' but no access to catalog.cattle.io.app can no longer see the Grafana and other monitoring links from the Monitoring page in the UI.
To Reproduce
- On cluster pre 2.7.5, create user with a 'cluster-user' custom role that inherits 'monitoring-ui-view' and also has the GET/CREATE on services/proxy
- Test that monitoring links are clickable
- Upgrade to 2.7.5
Result monitoring links are unclickable
Expected Result
After the upgrade monitroing link should be clickable
Screenshots
Additional context
As a workaround, Added read-only to the Project with monitoring or GET to apps.catalog.cattle.io and these restored access to the links, but this granted access to monitoring secrets... They think they found the commit that changed the behavior and is missing the try-catch, as seen elsewhere.
Possibly resolved in 2.8.0 via https://github.com/rancher/dashboard/pull/9826. Needs validating with these specific roles (but given workaround looks hopeful)
@MKlimuszka waiting-ux indicates it's waiting for UX/Design input. The zube labels roughly map to ui issue root state
@skanakal can you provide the yaml for the custom role, and is it a cluster or project role (linked ticket talks about project but it's not clear here)? Can you also confirm if the user assigned to the role is a global standard-user (and not user-base)?
@richard-cox It been so long time since I reproduced this issue. If my recollection is accurate, a standard user, assigned a project role with monitoring UI view, GET/CREATE permissions on services/proxy, and other necessary permissions to access the links...
I tried to reproduce this with a custom cluster role which inherited view monitoring and had get / create on services. Navigating to the cluster... things went wrong. It looks like there were failures fetching /endpoints (even though the user could see the schema). I could not get the monitoring tab to be visible (it requires the monitoring.coreos.com.podmonitor schema which is missing). The cluster also went down.
I did notice that the view monitoring role is a project one, rather than a cluster one. @skanakal to confirm, you adding it to a custom cluster rather than custom project role.. and this was working pre-upgrade? Would you be able to assist confirming the issue is resolved in 2.8.0 (or later)?
Verified - this is not an issue in 2.9.0.
This is the custom cluster role I used:
The code has changed a lot since 2.7.5 and now has guards, so being unable to retrieve the list of apps does not cause the problem reported in this issue
@gaktive I think we should move this to test, unless I am missing some context?
Issue is still happening. Rancher version # [v2.9.1]
unable to view grafana dashboard
{ "kind": "Status", "apiVersion": "v1", "metadata": {}, "status": "Failure", "message": "error trying to reach service: dial tcp 10.0.37.2:8080: connect: connection timed out", "reason": "ServiceUnavailable", "code": 503 }
