Continuous Delivery: User is logged out after attempting to move a fleet cluster from a workspace to another owned by a different user

[izaac]

Setup

• Rancher version: v2.7-head 0c76b3f
• Browser type & version: Firefox

Describe the bug

The user is taken back to the login page when trying to move a fleet cluster from a workspace (own or fleet-default) to other workspace owned by a different user.

To Reproduce

• As admin user in Rancher
• Create two users user1 and user2
• Create a Custom Role and give all permissions to the resources gitrepo fleetworkspaces and clusters (fleet)
• Assign this custom role to user1 and user2
• Provision an RKE2 cluster in Rancher and add user1 and user2 as Cluster Owner.
• As user1 navigate to Continous Delivery and check you can see the Clusters in fleet-default
• As user1 create a new fleet workspace user1ws
• As user2 navigate to Continous Delivery and check you can see the Clusters in fleet-default
• As user2 create a new fleet workspace user2ws
• Logout from both accounts.
• Login as user2 navigate to Continuous Delivery move the RKE2 fleet cluster from fleet-default to user1ws

Result

An error occurs and user2 is logged out and taken back to the login page.

{
    "baseType": "error",
    "code": "Unauthorized",
    "message": "admission webhook \"rancher.cattle.io.clusters.management.cattle.io\" denied the request: Unauthorized",
    "status": 401,
    "type": "error"
}

Expected Result
Either being able to move the cluster to other workspace owned by other user.
If that's not expected. Just throw an error and do not log out the user

Screenshots

Moving to userws1

Result:

Additional context

Dashboard: release-2.7.2 94650da49
Fleet: v0.6.0-rc.5

[gaktive]

Doesn't read as a blocker based on the scenario but the behaviour is weird. Hopefully we can quickly check this out but this may be pushed out due to time.

[gaktive]

@kkaempf what should be the desired behaviour in this case? Could a user expect to do this?

[nwmac]

See: #8479

We have removed the ability to move RKE2 clusters to different workspaces, so this resolves this issue until the backend is fixed to enable this to work - see: rancher/rancher#36132

[l4zy0n3]

See: #8479

We have removed the ability to move RKE2 clusters to different workspaces, so this resolves this issue until the backend is fixed to enable this to work - see: rancher/rancher#36132

Since we have disabled the ability to move clusters and the issue is open for a long time, we should mark it as stale and close this if no other work needs to reference this issue.

I was unable to reproduce the issue due to the reasons stated above.

[sbulage]

Below screenshot says, clearly that option to move workspace for the clusters has been remove.

Thanks @l4zy0n3

[prabalsharma]

Can be closed.

[kkaempf]

.