User with “admin” role in name space do not see the same couchbase cluster screen with more options as the user with “cluster admin” role. however, there is no way they want to give us the cluster admin role.
Summary of issue:
We have users with admin role to the namespace where the Couchbase Operator is installed. When the users try create a new Couchbase instance, they are not able to see the configuration tabs Servers, Cluster, Buckets, XDCR, Backup, Monitoring, and Networking.
When we try the same with a user with a cluster-admin or cluster view role, we can see the missing tabs.
According to this Couchbase documentation Install the Operator on OpenShift | Couchbase Docs, when installing the Operator manually, we need to add the “couchbasecluster” role to the users. In our case, we installed the Couchbase Operator via the OpenShift Console and didn’t see this role created. As a test we created the role manually and bind it to the user but we are still not able to see the missing tabs.
What are the user requirements and the correct procedures to configure them?
1/2: consulting the docs (Roles | Couchbase Docs) the admin/Full Admin role should give you access to everything, whereas the cluster_admin role should be the same, except with the user unable to alter security settings. Are you saying that a use with admin is unable to see everything? I’ve just tried it out locally with the following configuration and it works for me. Do you have any more details?
apiVersion: v1
kind: Secret
metadata:
name: simon
stringData:
username: simon
password: password
---
apiVersion: couchbase.com/v2
kind: CouchbaseUser
metadata:
name: simon
spec:
authDomain: local
authSecret: simon
---
apiVersion: couchbase.com/v2
kind: CouchbaseGroup
metadata:
name: admin
spec:
roles:
- name: admin
---
apiVersion: couchbase.com/v2
kind: CouchbaseRoleBinding
metadata:
name: admins
spec:
roleRef:
kind: CouchbaseGroup
name: admin
subjects:
- kind: CouchbaseUser
name: simon
3: That role is provided with the Operator download package, and all it allows you – as a Kubernetes user – to do is access Couchbase CRDs. It’s important on OCP for being able to create resources and also to collect logs for Couchbase support… Obviously if you are using OLM, then it’s not necessary to be able to manage Couchbase clusters through the UI.
We are admin within our namespace. but the create couchbase cluster screen we see and the cluster admin sees are different. their create screen has more tabs. I am not sure the underlying yaml file are the same.
Oh are we talking about Red Hat’s OLM user interface here? It may be quicker to ask them. I’ll get our OpenShift experts to have a look too, in case it’s something obvious.
I think we might be mixing roles for both OLM interface and Couchbase interfaces?
You can be an admin in Openshift, but that doesn’t make you an admin in Couchbase Interface.
The “Networking” or “Monitoring” tabs are visible based on Couchbase RBAC as @simon.murray described. You can use OLM or the oc cli tool to update the user roles within the CouchbaseGroup resource to grant your user cluster-admin within Couchbase.
Thanks for your help. I bypassed the problem by using a yaml file install. instead of the create couchbase cluster view in the installed operator side.