-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG]Requests to /v1/endpoints return 500 and cause the cluster to enter 'updating' state when monitoring is installed #43030
Comments
Per the docs, this is the expected behavior. A read only user should not have access to links directly from the monitoring panel, only externally. We have raised this issue with product and SURE-7045 has been filed to review the permissions for a read-only user within the monitoring UI. "A User bound to the View Monitoring Rancher Role only has permissions to access external Monitoring UIs if provided links to those UIs." If the UI team wants to show an error message that says the read-only user does not have access to the monitoring panel links, I think that would be a viable option while product is determining the exact access rights and limitations for the role. SURE-7044 has also been filed to add clarifications to the official Rancher documentation for read-only role permissions. |
The problem here isn't that the user can't access the links on the monitoring panel, it's that requesting a resource they should be able to list is returning a 500 response and temporarily rendering the cluster unreachable. But even if the UI erroneously requests resources a user can't access the expected response is a 403 error and no impact on cluster health. With the permission set described above, the user would have access to some subset of endpoints though not he monitoring ones, so a get request to |
Tentatively assigned as blocker for now, as this is causing a panic in the agent. |
Cross posting my updates here for visibility. My initial comment was incorrect (I thought this was related to a different error with the monitoring panel links, that's my bad). The 500 error while getting the endpoints has been fixed by rancher/steve#132, and that also fixes the problem where the cluster hangs. The endpoints are not returned (per the documentation) because the read-only user, as described in this bug, is not supposed to have access to the internal monitoring panel. |
Validation TemplateRoot CauseIn certain cases (when a user has cluster-wide permissions to a resource type limited by one or more In the monitoring use case, this would result in a What was fixed, or what change have occurredSteve now returns an empty Areas or cases that should be tested
What areas could experience regressionsSteve use cases with permissions using Are the repro steps accurate/minimal?They are accurate, though they are focused on monitoring rather than a minimal steve use case.
Notescc: @geethub97 This does not resolve general monitoring permissions (see this comment for more information). These users will need to use a workaround for the monitoring permissions to become visible. |
@mantis-toboggan-md @gaktive Can we remove "status/ui-blocked" from this ticket now? |
Reproduced the issue on v2.8.0-alpha2:
|
Verified fresh install v2.8-head Test case1
Test case2
Test case3
Test case4Upgrade use case from v2.7.8 >> v2.8-head
|
rancher/dashboard#4466 has a release-note label and comments in that thread reference this issue. Since rancher/dashboard#4466 seems to be about users frustrated by intended Rancher behavior, should I instead be release noting the bug fix recorded here? |
Rancher Server Setup
Information about the Cluster
User Information
Project member with read-only access and
monitoring-ui-view
cluster roleDescribe the bug
GET requests to
<rancher url>/k8s/clusters/<cluster id>/v1/endpoints
return 500, the /v1 websocket disconnects, and the cluster status changes to "updating" for a couple minutes. The endpoints schema indicates that the user should be able to list endpoints (<endpoint schema>.links.collection
is defined). I was only able to reproduce this bug once monitoring was installed.To Reproduce
as admin, create a downstream cluster and enable monitoring v2
as admin, create a local user user1 and assign it to be project-member with read-only access of a project p1 in the cluster
as admin, create the clusterRoleBinding (monitoring-ui-view, user-1 )
log in as user-1, go to the cluster explorer UI -> monitoring tab
Result
500 error; cluster is 'updating' for a few minutes
Expected Result
GET requests to
<rancher url>/k8s/clusters/<cluster id>/v1/endpoints
should return a list of endpoints.Screenshots
Additional context
This was seen while investigating rancher/dashboard#4466 and blocks that issue.
The text was updated successfully, but these errors were encountered: