Tried all the user roles (member and restricted, read-only), but all of them sees the Infrastructure/Hosts and Infrastructure/Containers views. And even as a read only user I’m able to delete containers on the hosts.
Now that RBAC works nicely with the Kubernetes infrastructure and users only see their own namespace, seeing hosts and containers on the Rancher UI seems excessive.
Is there a way to make those views disappear for users with lower access rights?
No… but you cannot delete containers (or anything else) with (only) read-only permission.
I guess that’s alright, perhaps I will record a feature request for this. Best not to show anything in my opinion.
But is this normal for a read-only user?
For various dumb reasons the Delete action is shown to read only users because the UI doesn’t actually know if it’s available or not, but if you click it and have (only) read-only access to the environment it will fail and you’ll see this:
But the presence of stop and restart (instead of exactly 3 options shown above) suggest you are not actually a read-only user of that environment. You can have multiple levels of access through different groups, being an admin of the whole install, etc and get the highest applicable access. The most common situations would be:
- You’re an Admin of the installation, so you’re going to have all access to all environments (whether added as a member of them at all or not)
- You have an entry that says
[you] [read-only]
, but also another one for [some team] [member, restricted, or owner]
and you are a member of some team
. Now you have a higher level and the read-only entry is irrelevant.
It was an overlapping group membership indeed. Once I set all groups read-only, only the delete button was there. (and throwing error)
Thanks for help!