[Feature Request]: Allow dashboard "adminGroups" the ability to query the dashboard rest api without requiring cluster-admin permissions

[LaVLaS]

Feature description

In order for a user to query the odh-dashboard REST API directly, they require cluster-admin permissions to get any results. Based on checkRoleBindings, it seems like any user request with a valid oauth Bearer Token requires cluster-admin permissions when that level of permissions is not required when routed through a web browser.

Describe alternatives you've considered

No response

Anything else?

I am following this workflow to query the odh-dashboard REST API

$ OPENSHIFT_OAUTH_ENDPOINT="https://$(oc get route -n openshift-authentication   oauth-openshift -o json | jq -r '.spec.host')"
$ ODH_DASHBOARD_URL="https://$(oc get route odh-dashboard -o jsonpath='{.spec.host}')"
$ TESTUSER_BEARER_TOKEN="$(curl -skiL -u $TEST_USER:$TEST_PASS -H 'X-CSRF-Token: xxx' \"$OPENSHIFT_OAUTH_ENDPOINT/oauth/authorize?response_type=token&client_id=openshift-challenging-client\" | grep -oP 'access_token=\K[^&]*')"
$ curl -k -s -H 'Authorization: Bearer ${TESTUSER_BEARER_TOKEN}' $ODH_DASHBOARD_URL/api/status

For an ocp user that is not cluster-admin, the response is html for an oauth login. When granting the user cluster-admin permissions, the response is

$ oc adm policy add-cluster-role-to-user cluster-admin $TEST_USER --rolebinding-name cluster-admin-$TEST_USER
$ curl -kiL -H "Authorization: Bearer $TOKEN" https://$ODH_DASHBOARD_URL/api/status

HTTP/1.1 200 OK
content-length: 356
content-type: application/json; charset=utf-8
date: Tue, 13 Sep 2022 19:22:54 GMT
gap-auth: openldap-admin2@cluster.local
gap-upstream-address: localhost:8080
strict-transport-security: max-age=31536000;includeSubDomains;preload
set-cookie: 8501a734cf1ca23d6de5de397744693d=49753bc99032946f920f443b3bcd6c8a; path=/; HttpOnly; Secure; SameSite=None
cache-control: private

{"kube":{"currentContext":"inClusterContext","currentUser":{"name":"inClusterUser","authProvider":{"name":"tokenFile","config":{"tokenFile":"/var/run/secrets/kubernetes.io/serviceaccount/token"}}},"namespace":"opendatahub","userName":"kube:admin","clusterID":"bc4a5497-ef97-4906-af12-a0d47bee2318","clusterBranding":"ocp","isAdmin":false,"isAllowed":true}}

[andrewballantyne]

@LaVLaS what release is this? If this was off the hotfix (or RHODS 1.16), I'm not sure the existing solution was part of that.

isAdmin should resolve your state in adminGroups. @lucferbux can you verify your fix for #464 solved this 🤔

[LaVLaS]

This was for odh-dashboard:v2.1.1 but I'll try this against odh-dashboard:main to confirm

[anishasthana]

I ran into a similar issue with oauth proxy for modelmesh

[anishasthana]

I was able to fix this issue in modelmesh by updating the oauth proxy config to:

1. Include a reference to namespace
2. Change the resource reference from singular to plural

So...

--openshift-delegate-urls={"/": {"resource": "service", "verb": "get", "name": "modelmesh-serving"}}
--openshift-sar={"resource": "service", "resourceName": "modelmesh-serving", "verb": "get"}

became

--openshift-delegate-urls={"/": {"namespace": "meshtest", "resource": "services", "verb": "get"}}
--openshift-sar={"namespace": "meshtest", "resource": "services", "verb": "get"}

In your case, I think just specifying the namespace should remedy things.

With regards to the blackbox exporter still working at the time, my guess is that it actually basically has cluster viewer (either the blackbox pod or the prometheus pod that's doing the actual scraping).

[lucferbux]

@LaVLaS what release is this? If this was off the hotfix (or RHODS 1.16), I'm not sure the existing solution was part of that.

isAdmin should resolve your state in adminGroups. @lucferbux can you verify your fix for #464 solved this 🤔

That's indeed true. isAdmin returns either cluster-admin or rhods-admin.

[dgutride]

Moving to closed based on comments in #464 - please let me know if this is still an issue.