Fix 404 error in projects/clusters and group/clusters list
What does this MR do and why?
When "Sign-in restrictions -> Admin mode" setting is enabled, there is an additional step to enter Admin mode. The administrator must explicitly "enter admin mode" before they can perform administrative tasks. (See guide: https://docs.gitlab.com/ee/administration/settings/sign_in_restrictions.html#admin-mode).
An Admin should have access to the Clusters list of any Group or Project when:
- "Sign-in restrictions -> Admin mode" is disabled - they have administrator access by default, ie the moment they sign in
- "Sign-in restrictions -> Admin mode" is enabled AND they explicitly entered Admin mode
In scenario 2, there is an unexpected 404 error when accessing "Group -> Clusters" or "Project -> Clusters". This MR makes sure that the expected behavior happens--i.e.: the Admin can access the "Group -> Clusters" or "Project -> Clusters" pages.
This illustrates why the error happens for the "Group -> Clusters" page. The same logic applies to the "Project -> Clusters" page.
- In the
**::Groups::ClustersController
, thegroup
is loaded in aprepend_before_action
because it is needed in differentbefore_action
authorization checks.- The
group
object is loaded usingfind_routable!
, which also does a check on whether the user has access to the object
- The
-
prepend_before_action
happens before the session is loaded (inaround_action :set_session_storage
in the ApplicationController) - The controller mistakenly thinks that there is no session because the
group
is loaded before the session is loaded - It seems that this does not happen in Scenario 1 because there is no need to check in the session whether the current Admin user has entered Admin mode
To resolve the error, we move the loading of the group
or project
objects to a before_action
(after the session is loaded) instead of a prepend_before_action
.
certificate_based_clusters
feature
Occurrence of problem in relation to
certificate_based_clusters enabled? |
Group -> Clusters view | Project -> Clusters view |
---|---|---|
yes | the error occurs | the error occurs |
no | the page is not available | the error occurs |
Screenshots or screen recordings
Group Clusters page
Project Clusters page
How to set up and validate locally
Setup
-
With a non-admin user, create a Group and a Project within that group.
- it is best to do this in another browser or in a private/incognito mode window
- keep track of the link to the Group and the Project
-
Enable "Sign-in restrictions -> Admin Mode":
- Log in as an Admin user
- Go to "Admin Area -> Settings -> General"
- Expand the "Sign-in restrictions" section
- Check "Admin mode"
- Save
- You will be asked to authenticate to go into "Admin mode". You can authenticate now, or do it in the next steps
Before
-
If you have not done it yet, enter Admin mode
-
Test Group Clusters:
-
Enable
certificate_based_clusters
Feature Flag in the rails console:Feature.enable(:certificate_based_clusters)
-
Navigate to the Group you created in Setup step 1
-
From the Group page, go to "Operate -> Kubernetes clusters"
-
This will result in a 404 page
-
-
Test Project Clusters
- Navigate to the Project you created in Setup step 1
- From the Project page, to to "Operate -> Kubernetes"
- This will result in a 404 page
After
-
Check out this branch:
gco 344915-fix-clusters-list-404-in-admin-mode
-
If you have not done it yet, enter Admin mode
-
Test Group Clusters:
-
Enable
certificate_based_clusters
Feature Flag in the rails console:Feature.enable(:certificate_based_clusters)
-
Navigate to the Group you created in Setup step 1
-
From the Group page, go to "Operate -> Kubernetes clusters"
-
The Kubernetes clusters page should load. It will be empty since you have not created a cluster for the group; this is okay. (see screenshot above)
-
-
Test Project Clusters
- Navigate to the Project you created in Setup step 1
- From the Project page, to to "Operate -> Kubernetes"
- The Kubernetes clusters page should load. It will be empty since you have not created a cluster for the project; this is okay. (see screenshot above)
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #344915 (closed)