https://rancher.com/ logo
Join Slack
Powered by
What decides the access users get to NavLinks? I'...
# general
s
What decides the access users get to NavLinks? I've added a NavLink resource to a cluster and my admin user can see it. But my less privileged test user cannot. Does it require read access to the target namespace or something like that? https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/custom-branding#custom-navigation-links
s
in order to see the nav links in the side bar users will need read permissions on the resources that were created
s
Thanks for responding! 🙏 Hm, I see. What I'm actually trying to achieve is to grant read-only access to NeuVector. But clearly I don't want the user to get full read access to all objects (e.g. Secrets) in that namespace. Is it possible to grant access only to access the service targeted by the NavLink/app?
s
the navlink resource exists in the upstream/local cluster and isn't namespaced
the actually link used by neuvector though.... not sure
s
Maybe I'm wrong about NavLinks being used for NeuVector. 🤔 In Rancher, it looks like a NavLink, but I can find no such resource. Maybe it's integrated into Rancher some other way.
s
Might be worth asking in #C036F6JDZ8C. 
<http://ui.cattle.io|ui.cattle.io>
navlink
resources are what power generic entries into the resource menu. configuration in a nav link will contain a url that the user is taken to when clicked. for neu vector they may have a 
<http://ui.cattle.io|ui.cattle.io>
navlink
resource, or it could be in the resource menu by ui specific configuration.
s
I'll ask there. Thanks for the pointers!
s
had a quick look, they don't use the navlink resource but specific ui configuration. that ui configuration doesn't look like it hides resource menu items at all. if the extension is installed it'll show them. best to double check in that channel though
s
Since my admin user can see it but my test user cannot, it really feels like Rancher is rendering it based on RBAC.
s
s
My gut feeling is that I need to grant access to NeuVector's Service to the user, because Rancher otherwise prohibits access to that service (even when proxied via Rancher). I'll try that and see what happens.
No, even after assigning a role that lets the user 
get,list,watch
services and port-forward to pods, the user does not see the menu item in Rancher. 😕
I think the docs are incorrect. 😞 After digging around in 
kubectl api-resources
I found that the API group is called 
<http://neuvector.com|neuvector.com>
, not 
<http://permissions.neuvector.com|permissions.neuvector.com>
like the docs says. Adding 
get
permissions for all verbs in that API group enables the menu item in Rancher. Then I run into a very clear error message saying:
'services "httpsneuvector service webui8443" is forbidden: User "u-asddfasdfasf" cannot get resource "services/proxy" in API group "" in the namespace "cattle-neuvector-system"'
Granting access to that works. Then I have one more issue I've not had time to debug yet…
This seems to be the Role that's required for the user to view NeuVector from Rancher. Of course it's entirely undocumented, I'd expect nothing less. 😄
nv-read-only-role.yaml
I'm especially perplexed as to why it requires 
get
on 
<http://nvsecurityrules.neuvector.com|nvsecurityrules.neuvector.com>
in the 
cattle-neuvector-system
namespace for Rancher to display the dashboard item. If you have any insights as to why, I'm very interested! 🙂
5 Views
Open in Slack
PreviousNext
Powered by