Restoring Cluster View and Provision Access for Users After Recent OCM RBAC Changes

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Service on AWS (ROSA) 4
  • Red Hat OpenShift Dedicated (OSD) 4
  • Red Hat Openshift Container Platform (RHOCP) 4

Issue

  • Users within some organizations lose the ability to view and provision clusters
  • Failed to create cluster: status is 500, identifier is '500', code is 'CLUSTERS-MGMT-500'
  • We have over 300 Openshift/ROSA clusters. But Only 3 are showing up in OCM.
  • Users see the error "Failed to retrieve the default configuration" while they try to create a new Cluster

Resolution

The customer should verify if the 'OCM Cluster Viewer' and 'OCM Cluster Provisioner' roles exist in the 'Custom default access' group. If these roles are missing, they can add these roles to the group to enable access to all members within the organization. Alternatively, they can add these roles to a separate new or existing group to assign these roles to members that require them.

Note: These changes can take up to 30 minutes to take effect

Follow these steps to verify the 'Custom default access' group roles:

  1. Access the Red Hat Hybrid Cloud Console and navigate to the Identity & Access Management menu in the Settings gear.

  2. Find and check if the 'Custom default access' group exists in the Groups tab.

  3. If exists, Check the following OCM-specific roles in it:

    • OCM Cluster Viewer: Allows a user to view all clusters within the organization
    • OCM Cluster Provisioner: Allows a user to provision a cluster.

    To find these roles, use the search box and type "OCM" when adding roles to the group.

  4. If these roles are missing, add them back with the "Add role" button.

Note: Adding these roles to the 'Custom default access' group will apply to all users within the organization.

Follow these steps to add these roles to a separate new or existing group:

  1. Create a new group for users who need to view and provision clusters, or select an existing group to add the required roles to.

  2. Add the following OCM-specific roles to the selected group:

    • OCM Cluster Viewer: Allows a user to view all clusters within the organization
    • OCM Cluster Provisioner: Allows a user to provision a cluster.

    To find these roles, use the search box and type "OCM" when adding roles to the group.

  3. Add users to the group as needed.

Note: Only organization administrators can manage and assign roles to groups using role-based access control (RBAC).

For more information on managing groups, roles, and members in OCM, refer to the Our Document:
Using role-based access control to assign users and groups

Root Cause

OpenShift Cluster Manager recently rolled out role-based access control (RBAC) changes to enable flexible access control for customers. Customers that previously opted to use custom default access groups will not automatically pick up these new roles for a seamless transition.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments