Actual Outcome: Upgrade option not visible on the UI though all db cluster access has been added in the RBAC for that specific namespace.
Expected Outcome: Upgrade option available according to the RBAC policy.
@Diogo Recharte Need your suggestion here, I think a user having '*' permission in a namespace for all the db clusters, should have option to upgrade the operators in that namespace. The only thing I am not sure about is that this user does not have access to create a db cluster in that namespace, should this block the user to upgrade the operators?
Environment
None
Attachments
1
02 Jan 2025, 10:49 AM
Activity
Fábio Da Silva
January 22, 2025 at 12:21 PM
@Yusaf Awan after discussing this with @Diogo Recharte , we came to the conclusion that it’s a requirement that users explicitly set `p, role, database-clusters, , <namespace1>/*` in order to do an upgrade.
This is because defining policies on a cluster-by-cluster basis means we never know if we are either retrieving the whole set of clusters or not, which is required for the upgrade to be available.
Diogo Recharte
January 21, 2025 at 11:35 AM
Waiting for the remaining tickets of everest-1.5.0-rbac-fixes to be ready, then a FB will be created with all of them.
Medium
STRs:
1. Install Everest v1.3
2. Create db clusters
3. Upgrade to Everest v1.4rc-5
2. Apply the policy in the following way:
p, role:test, namespaces, read, *
p, role:test, database-engines, *, */*
p, role:test, database-clusters, *, <namespace1>/<db_cluster1>
p, role:test, database-clusters, *, <namespace1>/<db_cluster2> (do this until policy for all db clusters is added)
p, role:test, database-cluster-backups, *, */*
p, role:test, database-cluster-restores, *, */*
p, role:test, database-cluster-credentials, read, */*
p, role:test, backup-storages, *, */*
p, role:test, monitoring-instances, *, */*
Open http://127.0.0.1:8080/settings/namespaces
Actual Outcome:
Upgrade option not visible on the UI though all db cluster access has been added in the RBAC for that specific namespace.
Expected Outcome:
Upgrade option available according to the RBAC policy.
@Diogo Recharte Need your suggestion here, I think a user having '*' permission in a namespace for all the db clusters, should have option to upgrade the operators in that namespace. The only thing I am not sure about is that this user does not have access to create a db cluster in that namespace, should this block the user to upgrade the operators?