OCPBUGS-87201: Fix RoleBindings tab error for non-cluster-admin users

[rhamilto]

Analysis / Root cause:
RoleBindingsPage unconditionally watches ClusterRoleBindings at cluster scope, even when viewing within a namespace. Non-cluster-admin users lack permissions to list ClusterRoleBindings at the cluster scope, causing a "Restricted access" error on the project RoleBindings tab.

Solution description:
Use useAccessReview to check whether the user has list permission on ClusterRoleBindings. When the access review fails (non-cluster-admin), the ClusterRoleBinding watch is omitted from watchResources, preventing the "Restricted access" error. When the access review succeeds (cluster-admin), ClusterRoleBindings are fetched regardless of whether a namespace is selected, preserving the "Cluster-wide RoleBindings" Kind filter option on the RoleBindings list page.

Screenshots / screen recording:

Test setup:

1. Deploy an OpenShift cluster
2. Create a non-cluster-admin user (e.g., user1)
3. Ensure the user is a project admin for at least one namespace

Test cases:

1. Log in as non-cluster-admin user → Home → Projects → select project → RoleBindings tab → RoleBindings are displayed without "Restricted access" error
2. Log in as cluster-admin → Home → Projects → select project → RoleBindings tab → both RoleBindings and ClusterRoleBindings are displayed, "Cluster-wide RoleBindings" Kind filter is available
3. Log in as cluster-admin → navigate to the standalone RoleBindings list page (cluster scope) → both RoleBindings and ClusterRoleBindings are displayed
4. Log in as cluster-admin → User details → RoleBindings tab → both binding types are displayed
5. Log in as cluster-admin → Group details → RoleBindings tab → both binding types are displayed

Browser conformance:

• Chrome
• Firefox
• Safari (or Epiphany on Linux)

Additional info:
https://redhat.atlassian.net/browse/OCPBUGS-87201

Reviewers and assignees:

Summary by CodeRabbit

• Bug Fixes
  • Fixed the RBAC role bindings page to respect access when showing binding results: it now avoids loading cluster-wide binding data unless the current user has permission to list cluster role bindings.
  • Improved namespace filtering so role binding results continue to be scoped correctly without triggering unnecessary cluster-wide fetches.

[openshift-ci-robot]

@rhamilto: This pull request references Jira Issue OCPBUGS-87201, which is invalid:

• expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Analysis / Root cause:
RoleBindingsPage unconditionally watches ClusterRoleBindings at cluster scope, even when viewing within a namespace. Non-cluster-admin users lack permissions to list ClusterRoleBindings at the cluster scope, causing a "Restricted access" error on the project RoleBindings tab.

Solution description:
Only include the ClusterRoleBinding watch when no namespace is set (cluster-scope view). When a namespace is provided (e.g., project details RoleBindings tab), only namespace-scoped RoleBindings are fetched — which is what the user has permission for and what the tab name implies. This does not affect the User or Group detail pages (which don't pass namespace and correctly show both types), nor the standalone cluster-scope RoleBindings list.

Screenshots / screen recording:

Test setup:

1. Deploy an OpenShift cluster
2. Create a non-cluster-admin user (e.g., user1)
3. Ensure the user is a project admin for at least one namespace

Test cases:

1. Log in as non-cluster-admin user → Home → Projects → select project → RoleBindings tab → RoleBindings are displayed without "Restricted access" error
2. Log in as cluster-admin → navigate to the standalone RoleBindings list page (cluster scope) → both RoleBindings and ClusterRoleBindings are displayed
3. Log in as cluster-admin → User details → RoleBindings tab → both binding types are displayed
4. Log in as cluster-admin → Group details → RoleBindings tab → both binding types are displayed

Browser conformance:

• Chrome
• Firefox
• Safari (or Epiphany on Linux)

Additional info:
https://redhat.atlassian.net/browse/OCPBUGS-87201

Reviewers and assignees:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

RoleBindingsPage now performs an RBAC access check for the ClusterRoleBinding resource using useAccessReview. The watchResources object conditionally includes the ClusterRoleBinding watcher only when this access check grants permission; the RoleBinding watcher is always included.

Changes

RBAC access-based watch filtering

Layer / File(s)	Summary
Conditional ClusterRoleBinding watch based on RBAC access frontend/public/components/RBAC/bindings.tsx	Added useAccessReview hook to check if user can list ClusterRoleBinding. Updated watchResources to conditionally spread the ClusterRoleBinding entry only when access is granted. Updated useMemo dependency array to include the access check result.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested labels

lgtm, verified

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: fixing a RoleBindings tab error for non-cluster-admin users, which aligns with the core issue addressed in the changeset.
Description check	✅ Passed	The description includes all required sections with comprehensive information: root cause analysis, solution description, test setup, detailed test cases, and additional info linking to the Jira issue.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR modifies only frontend/public/components/RBAC/bindings.tsx (TypeScript/React), not Go test files. Ginkgo is a Go testing framework, not applicable to frontend code. No test files were modifi...
Test Structure And Quality	✅ Passed	This PR modifies a frontend TypeScript/React component (bindings.tsx) only; it contains no Ginkgo test code. The custom check for Ginkgo test quality is not applicable to this PR.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests added in this PR. The PR modifies only frontend TypeScript components (bindings.tsx), making the MicroShift test compatibility check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. The changes are exclusively in a React UI component (bindings.tsx) with no test files added.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR modifies only a React/TypeScript frontend UI component with no deployment manifests, operator code, or controllers. No scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	PR modifies a React TypeScript UI component file (bindings.tsx), not OTE binary or test code. The custom check only applies to process-level code (main, init, TestMain, BeforeSuite, etc.) that coul...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR modifies only frontend/public/components/RBAC/bindings.tsx (React/TypeScript component). No new Ginkgo e2e tests are added, making the IPv6/disconnected network compatibility check not appl...
No-Weak-Crypto	✅ Passed	The PR modifies frontend/public/components/RBAC/bindings.tsx to fix RBAC permission handling. No weak cryptography (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-...
Container-Privileges	✅ Passed	PR modifies only a TypeScript React frontend component (bindings.tsx) with no Kubernetes manifests or container configuration files changed; no privileged container settings present.
No-Sensitive-Data-In-Logs	✅ Passed	The PR modifies only the RoleBindingsPage component's logic for conditionally watching ClusterRoleBindings based on permissions. No logging statements, console calls, or sensitive data exposure mec...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[rhamilto]

/jira refresh
/cherry-pick release-4.22

[openshift-cherrypick-robot]

@rhamilto: once the present PR merges, I will cherry-pick it on top of release-4.22 in a new PR and assign it to you.

Details

In response to this:

/jira refresh
/cherry-pick release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci-robot]

@rhamilto: This pull request references Jira Issue OCPBUGS-87201, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh
/cherry-pick release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[cajieh]

/lgtm

[rhamilto]

/retest

[rhamilto]

/retest

[openshift-ci-robot]

@rhamilto: This pull request references Jira Issue OCPBUGS-87201, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Analysis / Root cause:
RoleBindingsPage unconditionally watches ClusterRoleBindings at cluster scope, even when viewing within a namespace. Non-cluster-admin users lack permissions to list ClusterRoleBindings at the cluster scope, causing a "Restricted access" error on the project RoleBindings tab.

Solution description:
Use useAccessReview to check whether the user has list permission on ClusterRoleBindings. When the access review fails (non-cluster-admin), the ClusterRoleBinding watch is omitted from watchResources, preventing the "Restricted access" error. When the access review succeeds (cluster-admin), ClusterRoleBindings are fetched regardless of whether a namespace is selected, preserving the "Cluster-wide RoleBindings" Kind filter option on the RoleBindings list page.

Screenshots / screen recording:

Test setup:

1. Deploy an OpenShift cluster
2. Create a non-cluster-admin user (e.g., user1)
3. Ensure the user is a project admin for at least one namespace

Test cases:

1. Log in as non-cluster-admin user → Home → Projects → select project → RoleBindings tab → RoleBindings are displayed without "Restricted access" error
2. Log in as cluster-admin → Home → Projects → select project → RoleBindings tab → both RoleBindings and ClusterRoleBindings are displayed, "Cluster-wide RoleBindings" Kind filter is available
3. Log in as cluster-admin → navigate to the standalone RoleBindings list page (cluster scope) → both RoleBindings and ClusterRoleBindings are displayed
4. Log in as cluster-admin → User details → RoleBindings tab → both binding types are displayed
5. Log in as cluster-admin → Group details → RoleBindings tab → both binding types are displayed

Browser conformance:

• Chrome
• Firefox
• Safari (or Epiphany on Linux)

Additional info:
https://redhat.atlassian.net/browse/OCPBUGS-87201

Reviewers and assignees:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[rhamilto]

@cajieh, integration test revealed the original fix was incorrect. Mind taking another look. See https://github.com/openshift/console/compare/fa39cfaf7beb56019cb7ab9a428b5be1d0ca2cc2..4e7a76875c7a7d2134a5899e07e1753e08090dcc

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

frontend/public/components/RBAC/bindings.tsx (1)

364-388: ⚠️ Potential issue | 🟡 Minor

Replace deprecated useAccessReview import with SDK version.

Line 58 imports useAccessReview from '../utils/rbac', which is marked @deprecated in favor of the version from @console/dynamic-plugin-sdk. Since the file already imports from the SDK, update the import:

import { useAccessReview } from '`@console/dynamic-plugin-sdk`';

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/public/components/RBAC/bindings.tsx` around lines 364 - 388, Update
the import statement for the useAccessReview hook in the bindings.tsx file.
Currently it imports useAccessReview from the deprecated '../utils/rbac' module,
but it should instead be imported from '`@console/dynamic-plugin-sdk`' which is
the SDK version. Change the import line to pull useAccessReview from
'`@console/dynamic-plugin-sdk`' instead of the local utils module. The
useAccessReview hook is used to check permissions for
canListClusterRoleBindings, so ensure this function reference continues to work
after updating the import source.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@frontend/public/components/RBAC/bindings.tsx`:
- Around line 364-388: Update the import statement for the useAccessReview hook
in the bindings.tsx file. Currently it imports useAccessReview from the
deprecated '../utils/rbac' module, but it should instead be imported from
'`@console/dynamic-plugin-sdk`' which is the SDK version. Change the import line
to pull useAccessReview from '`@console/dynamic-plugin-sdk`' instead of the local
utils module. The useAccessReview hook is used to check permissions for
canListClusterRoleBindings, so ensure this function reference continues to work
after updating the import source.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 0042e1d4-e42a-4d4b-a708-75d025082adc

📥 Commits

Reviewing files that changed from the base of the PR and between fa39cfa and 4e7a768.

📒 Files selected for processing (1)

• frontend/public/components/RBAC/bindings.tsx

[cajieh]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cajieh, rhamilto

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• frontend/OWNERS [cajieh,rhamilto]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rhamilto]

/retest

[openshift-ci]

@rhamilto: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.