The new plan still can be shown and started on plans page when plan creation is failed

[qiyuann]

When creating a new plan is failed because of following error:

The new plan still can be shown on the plans page, migration can be started, VM could be imported successfully.

If creating a new plan is failed, the plan shouldn't be shown on the plans page.

Steps to reproduce:

1. Create a non cluster admin user

2. Create a role with following rules:
   
   Note that there is no 'delete' verb on networkmaps

3. Bind the user with the role

4. Log into cluster with the user, and create a new plan

[yaacov]

@rszwajko it looks like it's connected to the flow of creating a copy of the network mappings,

@qiyuann is this fixed by giving the user all permissions on networkmaps ?

[qiyuann]

yes, it could be fixed by giving the user all permissions on networkmaps.

[ahadas]

@yaacov shall we move it to kubev2v/forklift then?

[yaacov]

yes, it could be fixed by giving the user all permissions on networkmaps.

it looks like the UI trying to copy the mapping

a. moving target to UI 2.4.1
b. @ahadas thanks, yes, kubev2v/forklift should give the permissions so the UI will work in 2.4.0

cc:// @rszwajko @sjd78 @sgratch

[ahadas]

@yaacov I lost you - I meant to move this issue to kubev2v/forklift so the plan would be set with some condition that prevents it from starting when the mappings are missing
but if you think it should be addressed in the UI - can't we create the mappings before creating the plan (as a workaround)?

[yaacov]

can't we create the mappings before creating the plan

@ahadas . in this test, the user can't create mappings.
even if you try to create use an existing mapping, since the UI try to copy it, the UI will not be able to create a new copy of the mappings and the wizard will show an error.

[yaacov]

yes, it could be fixed by giving the user all permissions on networkmaps.

The workaround is to grant "All" permissions to networkMaps

moving to next because of capacity and easyworkaround.

@ahadas what is the default permissions to networkMaps , i see that for storageMap it's 'All' ?

cc:// @qiyuann (for moving to next)

[ahadas]

@ahadas what is the default permissions to networkMaps , i see that for storageMap it's 'All' ?

it depends on the entity - for forklift-controller it's * (all), for networkmaps.forklift.konveyor.io-v1beta1-admin it's also *, for networkmaps.forklift.konveyor.io-v1beta1-crdview it's get, for networkmaps.forklift.konveyor.io-v1beta1-edit it's create, update, patch, delete, and for networkmaps.forklift.konveyor.io-v1beta1-viewit'sget, list, watch`.

we have a task to document the required permissions for non-admin users - that's ok to document that we currently require permissions to delete the networkmap in order to create a plan (if that's the current state)

[yaacov]

closing, this will be fixed on the operator / docs side, by documenting the requirements and adjusting the operator to create the needed permissions

[RichardHoch]

@ahadas @yaacov Are we saying that non-admins can do everything except delete migration plans? If so, that's easy to document. Even not being able to delete any entity is easy to document.
Documenting exactly which permissions non-admins have is less easy, especially if we expect to add new permissions, which will have to be added. Let me know what's needed.

[yaacov]

note:
submitted upstream: kubev2v/forklift-console-plugin#634
patch 634 prevents non admins from accessing the "overview/settings" page (kubev2v/forklift-console-plugin#630)

note I:
the console defined admin as users that can list namespaces

note II:
kubev2v/forklift-console-plugin#631 - an open bug to hide the create/edit/delete options from users that don't have permissions to create/edit/delete providers/plans and mappings

[RichardHoch]

@ahadas @yaacov I understand that the settings page is only for admins. But what about the rest of the Migrations pages -- are there any that non-admins cannot work with, completely, including deleting items?

[yaacov]

I. a "user" will have all the options except "overview / settings" page ( admins only)

II. a "read only user" will not be able to
create
edit
delete
duplicate ( it's like create )