User can view backups in other namespaces with read permissions in one namespace
Description
Tested with Everest v1.2.0-rc1 version.
Install mysql operator in a1 namespace.
Login in Everest UI using admin user and create mysql database using the admin user. Add a backup storage and take some scheduled backups for the mysql database.
Install mongodb in a2 namespace.
Create mongodb database using the admin user. Add a backup storage, but do not add a scheduled backup.
Create a user dbadmin using cli.
Add the following permissions in the RBAC policy
Login in Everest UI using dbadmin user and create backups for mongodb database in a2 namespace.
Now change the RBAC policy for dbadmin user to have only read permissions in a1 namespace.
Now view the backups of mysql database in a1 namespace
The dbadmin user can view the backups of mysql database.
Now view the backups of mongodb database in a2 namespace
The dbadmin user can view the backups and backup schedules of mongodb database in the a2 namespace. This should not be allowed as the dbadmin user only has the read permissions of database-cluster-backups in a1 namespace. It does not have the read permissions of database-cluster-backups in a2 namespace.
Tested with Everest v1.2.0-rc2 version. Run the same scenario as above.
Add the following RBAC policy
The dbadmin user can view the backups and backup schedules of mysql database in a1 namespace. There is no option for the user to create or delete backups, which is correct as per the read permissions.
The dbadmin user can view the backup schedules but not the backups of mongodb database in a2 namespace
The user can see that backups are scheduled for mongodb database in a2 namespace
If the permissions in RBAC policy are changed to have read permissions for backup-storages in a1 namespace
Then dbadmin user can view the backups and backup schedules of mysql database in a1 namespace. The user sees a blank page initially for mongodb database in a2 namespace and then after 8 seconds the Add storage page appears. This issue is already filed as .
Tested with Everest v1.2.0-rc1 version.
Install mysql operator in a1 namespace.
Login in Everest UI using admin user and create mysql database using the admin user. Add a backup storage and take some scheduled backups for the mysql database.
Install mongodb in a2 namespace.
Create mongodb database using the admin user. Add a backup storage, but do not add a scheduled backup.
Create a user dbadmin using cli.
Add the following permissions in the RBAC policy
Login in Everest UI using
dbadminuser and create backups for mongodb database in a2 namespace.Now change the RBAC policy for
dbadminuser to have only read permissions in a1 namespace.Now view the backups of mysql database in a1 namespace
The
dbadminuser can view the backups of mysql database.Now view the backups of mongodb database in a2 namespace
The
dbadminuser can view the backups and backup schedules of mongodb database in the a2 namespace. This should not be allowed as thedbadminuser only has the read permissions ofdatabase-cluster-backupsin a1 namespace. It does not have the read permissions ofdatabase-cluster-backupsin a2 namespace.