From 75e6453719a107733a77eaa7bfd4ac8f15d63a51 Mon Sep 17 00:00:00 2001 From: reggie-k Date: Tue, 12 Jul 2022 09:36:29 +0300 Subject: [PATCH 1/2] show logs tab only upon explicit rbac allow policy Signed-off-by: reggie-k --- CHANGELOG.md | 8 ++- docs/operator-manual/upgrading/2.3-2.4.md | 8 ++- .../resource-details/resource-details.tsx | 68 +++++++++++-------- .../app/shared/services/accounts-service.ts | 4 ++ 4 files changed, 56 insertions(+), 32 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8d976a322697c..de1dcfe9a43d3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,9 +13,13 @@ commands, and helps to troubleshoot the application state. Argo CD is used to manage the critical infrastructure of multiple organizations, which makes security the top priority of the project. We've listened to your feedback and introduced additional access control settings that control access to Kubernetes Pod logs and the new Web Terminal feature. -#### Known UI Issue for Pod Logs Access +#### Pod Logs UI -Currently, upon pressing the "LOGS" tab in pod view by users who don't have an explicit allow get logs policy, the red "unable to load data: Internal error" is received in the bottom of the screen, and "Failed to load data, please try again" is displayed. +Since 2.4.6, the LOGS tab in pod view is visible in the UI only for users with explicit allow get logs policy. + +#### Known pod logs UI issue prior to 2.4.6 + +Upon pressing the "LOGS" tab in pod view by users who don't have an explicit allow get logs policy, the red "unable to load data: Internal error" is received in the bottom of the screen, and "Failed to load data, please try again" is displayed. ### OpenTelemetry Tracing Integration diff --git a/docs/operator-manual/upgrading/2.3-2.4.md b/docs/operator-manual/upgrading/2.3-2.4.md index d4d272b90ec1a..7aacf4dcd3c86 100644 --- a/docs/operator-manual/upgrading/2.3-2.4.md +++ b/docs/operator-manual/upgrading/2.3-2.4.md @@ -149,9 +149,13 @@ p, role:test-db-admins, applications, *, staging-db-admins/*, allow p, role:test-db-admins, logs, get, staging-db-admins/*, allow ``` -## Known UI issue +### Pod Logs UI -Currently, upon pressing the "LOGS" tab in pod view by users who don't have an explicit allow get logs policy, the red "unable to load data: Internal error" is received in the bottom of the screen, and "Failed to load data, please try again" is displayed. +Since 2.4.6, the LOGS tab in pod view is visible in the UI only for users with explicit allow get logs policy. + +### Known pod logs UI issue prior to 2.4.6 + +Upon pressing the "LOGS" tab in pod view by users who don't have an explicit allow get logs policy, the red "unable to load data: Internal error" is received in the bottom of the screen, and "Failed to load data, please try again" is displayed. ## Test repo-server with its new dedicated Service Account diff --git a/ui/src/app/applications/components/resource-details/resource-details.tsx b/ui/src/app/applications/components/resource-details/resource-details.tsx index f6a4b34216489..a4991bb153ec3 100644 --- a/ui/src/app/applications/components/resource-details/resource-details.tsx +++ b/ui/src/app/applications/components/resource-details/resource-details.tsx @@ -42,7 +42,16 @@ export const ResourceDetails = (props: ResourceDetailsProps) => { const page = parseInt(new URLSearchParams(appContext.history.location.search).get('page'), 10) || 0; const untilTimes = (new URLSearchParams(appContext.history.location.search).get('untilTimes') || '').split(',') || []; - const getResourceTabs = (node: ResourceNode, state: State, podState: State, events: Event[], extensionTabs: ResourceTabExtension[], tabs: Tab[], execEnabled: boolean) => { + const getResourceTabs = ( + node: ResourceNode, + state: State, + podState: State, + events: Event[], + extensionTabs: ResourceTabExtension[], + tabs: Tab[], + execEnabled: boolean, + logsAllowed: boolean + ) => { if (!node || node === undefined) { return []; } @@ -78,30 +87,32 @@ export const ResourceDetails = (props: ResourceDetailsProps) => { const onClickContainer = (group: any, i: number) => SelectNode(selectedNodeKey, group.offset + i, 'logs', appContext); - tabs = tabs.concat([ - { - key: 'logs', - icon: 'fa fa-align-left', - title: 'LOGS', - content: ( -
- appContext.navigation.goto('.', {page: pageData.number, untilTimes: pageData.untilTimes.join(',')})} - containerGroups={containerGroups} - onClickContainer={onClickContainer} - /> -
- ) - } - ]); + if (logsAllowed) { + tabs = tabs.concat([ + { + key: 'logs', + icon: 'fa fa-align-left', + title: 'LOGS', + content: ( +
+ appContext.navigation.goto('.', {page: pageData.number, untilTimes: pageData.untilTimes.join(',')})} + containerGroups={containerGroups} + onClickContainer={onClickContainer} + /> +
+ ) + } + ]); + } if (execEnabled) { tabs = tabs.concat([ { @@ -250,8 +261,8 @@ export const ResourceDetails = (props: ResourceDetailsProps) => { const settings = await services.authService.settings(); const execEnabled = settings.execEnabled; - - return {controlledState, liveState, events, podState, execEnabled}; + const logsAllowed = await services.accounts.canI('logs', 'get', application.spec.project + '/' + application.metadata.name); + return {controlledState, liveState, events, podState, execEnabled, logsAllowed}; }}> {data => ( @@ -295,7 +306,8 @@ export const ResourceDetails = (props: ResourceDetailsProps) => { content: } ], - data.execEnabled + data.execEnabled, + data.logsAllowed )} selectedTabKey={props.tab} onTabSelected={selected => appContext.navigation.goto('.', {tab: selected}, {replace: true})} diff --git a/ui/src/app/shared/services/accounts-service.ts b/ui/src/app/shared/services/accounts-service.ts index 8820fa46dd697..008505a63714a 100644 --- a/ui/src/app/shared/services/accounts-service.ts +++ b/ui/src/app/shared/services/accounts-service.ts @@ -27,4 +27,8 @@ export class AccountsService { public deleteToken(name: string, id: string): Promise { return requests.delete(`/account/${name}/token/${id}`); } + + public canI(resource: string, action: string, subresource: string): Promise { + return requests.get(`/account/can-i/${resource}/${action}/${subresource}`).then(res => res.body.value === 'yes'); + } } From dc9e755b186ad743808ab85614880c43f45f8c6f Mon Sep 17 00:00:00 2001 From: reggie-k Date: Wed, 13 Jul 2022 18:16:26 +0300 Subject: [PATCH 2/2] 2.4.7 docs edit Signed-off-by: reggie-k --- CHANGELOG.md | 4 ++-- docs/operator-manual/upgrading/2.3-2.4.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index de1dcfe9a43d3..ff5d5a790e3fd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,9 +15,9 @@ your feedback and introduced additional access control settings that control acc #### Pod Logs UI -Since 2.4.6, the LOGS tab in pod view is visible in the UI only for users with explicit allow get logs policy. +Since 2.4.7, the LOGS tab in pod view is visible in the UI only for users with explicit allow get logs policy. -#### Known pod logs UI issue prior to 2.4.6 +#### Known pod logs UI issue prior to 2.4.7 Upon pressing the "LOGS" tab in pod view by users who don't have an explicit allow get logs policy, the red "unable to load data: Internal error" is received in the bottom of the screen, and "Failed to load data, please try again" is displayed. diff --git a/docs/operator-manual/upgrading/2.3-2.4.md b/docs/operator-manual/upgrading/2.3-2.4.md index 7aacf4dcd3c86..78bc3d4686645 100644 --- a/docs/operator-manual/upgrading/2.3-2.4.md +++ b/docs/operator-manual/upgrading/2.3-2.4.md @@ -151,9 +151,9 @@ p, role:test-db-admins, logs, get, staging-db-admins/*, allow ### Pod Logs UI -Since 2.4.6, the LOGS tab in pod view is visible in the UI only for users with explicit allow get logs policy. +Since 2.4.7, the LOGS tab in pod view is visible in the UI only for users with explicit allow get logs policy. -### Known pod logs UI issue prior to 2.4.6 +### Known pod logs UI issue prior to 2.4.7 Upon pressing the "LOGS" tab in pod view by users who don't have an explicit allow get logs policy, the red "unable to load data: Internal error" is received in the bottom of the screen, and "Failed to load data, please try again" is displayed.