Skip to content

Fix 404 error in projects/clusters and group/clusters list

Pam Artiaga requested to merge 344915-fix-clusters-list-404-in-admin-mode into master

What does this MR do and why?

When "Sign-in restrictions -> Admin mode" setting is enabled, there is an additional step to enter Admin mode. The administrator must explicitly "enter admin mode" before they can perform administrative tasks. (See guide: https://docs.gitlab.com/ee/administration/settings/sign_in_restrictions.html#admin-mode).

An Admin should have access to the Clusters list of any Group or Project when:

  1. "Sign-in restrictions -> Admin mode" is disabled - they have administrator access by default, ie the moment they sign in
  2. "Sign-in restrictions -> Admin mode" is enabled AND they explicitly entered Admin mode

In scenario 2, there is an unexpected 404 error when accessing "Group -> Clusters" or "Project -> Clusters". This MR makes sure that the expected behavior happens--i.e.: the Admin can access the "Group -> Clusters" or "Project -> Clusters" pages.

This illustrates why the error happens for the "Group -> Clusters" page. The same logic applies to the "Project -> Clusters" page.

  • In the **::Groups::ClustersController, the group is loaded in a prepend_before_action because it is needed in different before_action authorization checks.
    • The group object is loaded using find_routable!, which also does a check on whether the user has access to the object
  • prepend_before_action happens before the session is loaded (in around_action :set_session_storage in the ApplicationController)
  • The controller mistakenly thinks that there is no session because the group is loaded before the session is loaded
  • It seems that this does not happen in Scenario 1 because there is no need to check in the session whether the current Admin user has entered Admin mode

To resolve the error, we move the loading of the group or project objects to a before_action (after the session is loaded) instead of a prepend_before_action.

Occurrence of problem in relation to certificate_based_clusters feature

certificate_based_clusters enabled? Group -> Clusters view Project -> Clusters view
yes the error occurs the error occurs
no the page is not available the error occurs

Screenshots or screen recordings

Group Clusters page

Screenshot_2023-11-29_at_18.14.33

Project Clusters page

Screenshot_2023-11-29_at_18.14.24

How to set up and validate locally

Setup

  1. With a non-admin user, create a Group and a Project within that group.

    • it is best to do this in another browser or in a private/incognito mode window
    • keep track of the link to the Group and the Project

  2. Enable "Sign-in restrictions -> Admin Mode":

    1. Log in as an Admin user
    2. Go to "Admin Area -> Settings -> General"
    3. Expand the "Sign-in restrictions" section
    4. Check "Admin mode"
    5. Save
    6. You will be asked to authenticate to go into "Admin mode". You can authenticate now, or do it in the next steps

Before

  1. If you have not done it yet, enter Admin mode

  2. Test Group Clusters:

    1. Enable certificate_based_clusters Feature Flag in the rails console:

      Feature.enable(:certificate_based_clusters)

    2. Navigate to the Group you created in Setup step 1

    3. From the Group page, go to "Operate -> Kubernetes clusters"

    4. This will result in a 404 page

  3. Test Project Clusters

    1. Navigate to the Project you created in Setup step 1
    2. From the Project page, to to "Operate -> Kubernetes"
    3. This will result in a 404 page

After

  1. Check out this branch:

    gco 344915-fix-clusters-list-404-in-admin-mode

  2. If you have not done it yet, enter Admin mode

  3. Test Group Clusters:

    1. Enable certificate_based_clusters Feature Flag in the rails console:

      Feature.enable(:certificate_based_clusters)

    2. Navigate to the Group you created in Setup step 1

    3. From the Group page, go to "Operate -> Kubernetes clusters"

    4. The Kubernetes clusters page should load. It will be empty since you have not created a cluster for the group; this is okay. (see screenshot above)

  4. Test Project Clusters

    1. Navigate to the Project you created in Setup step 1
    2. From the Project page, to to "Operate -> Kubernetes"
    3. The Kubernetes clusters page should load. It will be empty since you have not created a cluster for the project; this is okay. (see screenshot above)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #344915 (closed)

Edited by Pam Artiaga

Merge request reports