Clone of global admin role not a 100% carbon copy

[cnotv]

Jira: SURE-8806

Setup

• Rancher version: 2.8.5
• Rancher UI Extensions: /
• Browser type & version: all

Describe the bug
Clone of global admin role not exact copy. (Displayed as Administrator/admin)
Where the original role has verbs "*" the copy has a list of individual verbs.
The result is new role does not grant the same views as the original.

To Reproduce

• Clone Admin role in GUI
• Assign cloned role role to user.
• View any given cluster in GUI
• User doe not have full visibility compared to the original admin role

Result
The clone role does not have "*" verbs as in the original global admin role.

Note: This is about the data, so it's visible only in the YAML editor.

Expected Result
Expect a carbon copy.

Screenshots

See Jira ticket

Additional context

See Jira ticket

[cnotv]

@richard-cox changing the client version to v2.8.6 still clones an admin correctly, I suppose this is a server issue?

[richard-cox]

@cnotv It looks like it's showing the bug. The verbs have been enumerated from * to all known verbs

[cnotv]

@cnotv It looks like it's showing the bug. The verbs have been enumerated from * to all known verbs

I see the same for 2.9.x and even for the same Administrator. I do not understand what should be displayed.

[richard-cox]

The Grant Resources section relates to the role's rules array. Each one contains a verbs lists.

An entry to that verbs list could be distinct entries (create, patch, etc).

Or it could be * which means all verbs. This is where the bug is

The component that's showing a grant resource row isn't showing the * correctly, it converts it into a list of verbs

[cnotv]

Oh ok, in the model/YAML, I thought in the UI form sorry.

[cnotv]

These 2 cases are the same but have different logic and URLs, so there's something wrong with the whole concept of editing in Rancher:

• Edit YAML: /c/local/auth/roles/management.cattle.io.globalrole/admin?mode=edit&as=yaml
• Edit config with YAML tab: /c/local/auth/roles/management.cattle.io.globalrole/admin?mode=edit#grant-resources

Refreshing the page and keeping the YAML editor is also impossible since it redirects to the configuration.

[cnotv]

Here is a summary of what I reported today: the whole resource editing process has a logic where data initialization is injected into YAML, without providing a way to restore the mapping (like from * to verbs list in our case). This means that not just clones but any editing will malform data.

In the video, you can see how the roles are always manipulated and cannot be restored if edited in the form. As an outcome of this logic, we want to instead map the whole list of verbs always into * and vice-versa, regardless of the operation. This has to be handled visually only, while the data should be kept as intended.

Edit: I've replaced the video starting from Admin, so it's more evident the problem.
https://github.com/user-attachments/assets/820e9785-0ff5-42f6-9d68-bdabb93cc391

[richard-cox]

I don't think we want to map anything to anything, that's the issue. If there's a * it should remain as so. If there's a list it should also remain as so.

The bug is we're converting a * to a list of verbs. Where about is that happening?

[cnotv]

We must map it for sure, because we do not have a UI for *.
The thing is that we should keep intact the model, which we do not.
If we map the * once it has to be always, otherwise it's inconsistent in both data and UI, plus the code will be even more hacked.

[richard-cox]

I'm not quite sure i follow.

I had a look, this is the code that maps * to the list of verbs https://github.com/rancher/dashboard/blob/master/shell/components/auth/RoleDetailEdit.vue#L130-L134. We just need to not do this, and also ensure * is a valid entry

[cnotv]

also ensure * is a valid entry

Define valid entry, if you do not mind.
Would this PR not work as intended? #12235

[richard-cox]

Valid entry in the select component.

The PR won't work because it's mapping * to a list of verbs. Lets get together after the team meet to go over this

[cnotv]

Updated PR as agreed in the meeting #12235

[HoustonDad]

While this is set for v2.10, can we get backports into v2.8 and v2.9?

[richard-cox]

v2.8 is EOM, v2.9 is a possibility though

[yonasberhe23]

Clone of global admin role is properly copied.

Tested in:

• Rancher v2.10-ae6ac83471545ab47d052d2d760daa2e6646a969-head
• Dashboard master 225e3e6

Screen.Recording.2024-10-18.at.6.29.18.PM.mov