rancher: Incorrect verb "read" versus "get" in clusterscan resource RBAC prevents correctly granting clusterscan permissions

What kind of request is this (question/bug/enhancement/feature request):

Bug

Steps to reproduce (least amount of steps as possible):

Create a Rancher v2.4.11 or v2.5.3 instance with a single all role custom cluster (I used https://github.com/superseb/tf-do-rancher2/).
Create a user foo
Create a custom Global role CIS, that grants get and list on cisbenchmarkversions.management.cattle.io and cisconfigs.management.cattle.io. Edit user foo and grant the custom CIS role.
Create a custom Cluster role Clusterscans, that grants get and list on clusterscans.management.cattle.io, and grant the user foo this role on the custom cluster.
As the admin user run a CIS Scan on the custom cluster.

Result:

Logged in as the admin user observe once the CIS scan is complete that you can click the scan name to view the report details, and that viewing the scan in the API the links: report: field is populated.
Logged in as the user foo observe that whilst the CIS Scan resource is listed, you cannot view the report details in the UI, and whilst you an access the v3/clusterScans/<cluster_id>:<report_id>/report API endpoint successfully, the links: report field in the v3/clusterScans/<cluster_id>:<report_id> endpoint is not populated (which is the reason the report details are not populated in the UI.

Other details that may be helpful:

The issue here is a result of the incorrect verb read versus the expected verb get in the API RBAC for the formatter that appends the report link to the clusterscan resource:

https://github.com/rancher/rancher/blob/v2.5.3/pkg/api/norman/customization/clusterscan/clusterscan.go#L28 https://github.com/rancher/rancher/blob/v2.4.11/pkg/api/customization/clusterscan/clusterscan.go#L26

Whilst an admin has * permission for all verbs, the defined custom role using the Kubernetes RBAC verb get does not match in the API check, hence the difference between the links: report: field returned for the admin user and the foo user. The verb in the API CanDo check should be updated to get to fix this issue. As a workaround the custom Clusterscans cluster role can be edited via the API to add the verb read to the list of permissions on clusterscans.management.cattle.io.

Environment information

Rancher v2.4.11/v2.5.3

gz#13788

About this issue

Original URL
State: closed
Created 4 years ago
Comments: 17 (13 by maintainers)

Most upvoted comments

@doflamingo721

I was able to reproduce this RBAC issue. I also found an additional issue (see additional context section).

Steps to reproduce reproduced on a 2.6.6 HA server.

stand up rancher HA server (no downstream clusters needed)
Create a user
Create a custom Global role CIS, that grants get and list on cisbenchmarkversions.management.cattle.io and cisconfigs.management.cattle.io.

Edit user foo and grant the custom CIS role.
Create a custom Cluster role Clusterscans, that grants get and list on clusterscans.management.cattle.io

grant the user foo this role on the custom cluster.
as admin, run a CIS benchmark scan with the ‘1.6 permissive scan.’ profile applied
log in as the user you created
view CIS benchmark scan page
click on the name of the scan

expected results

the scan displays a line item list of every pass/warning/failure. (see in picture admin account can view line items fine.)

actual results

no scan data is displayed to the user.

additional context

when logged in as the user on the scan page, if you try to download the scan this error is displayed in the UI

“Error downloading file Cannot read properties of undefined (reading ‘aggregatedTests’)”

if they can view the report they should be able to download it, but if this restriction is by design we should replace the error message with whatever our standard RBAC error message is. ex: ‘you do not have permissions to execute this action, please contact administrator’

^^ after investigation if this needs its own separate ticket @AndrewHoffmanQA and i’ll generate one

AndrewHoffmanQA on Aug 23, 2022