Allow all users to list model registries

frontend/src/__mocks__/mockModelRegistryService.ts

@@ -0,0 +1,38 @@
+import { ServiceKind } from '~/k8sTypes';
+
+type MockServiceType = {
+  name?: string;
+  namespace?: string;
+};
+
+export const mockModelRegistryService = ({
+  name = 'modelregistry-sample',
+  namespace = 'odh-model-registries',
+}: MockServiceType): ServiceKind => ({
+  kind: 'Service',
+  apiVersion: 'v1',
+  metadata: {
+    name,
+    namespace,
+  },
+  spec: {
+    selector: {
+      app: name,
+      component: 'model-registry',
+    },
+    ports: [
+      {
+        name: 'grpc-api',
+        protocol: 'TCP',
+        port: 9090,
+        targetPort: 9090,
+      },
+      {
+        name: 'http-api',
+        protocol: 'TCP',
+        port: 8080,
+        targetPort: 8080,
+      },
+    ],
+  },
+});

frontend/src/__mocks__/mockSelfSubjectRulesReview.ts

@@ -0,0 +1,238 @@
+import { SelfSubjectRulesReviewKind } from '~/k8sTypes';
+
+export const mockSelfSubjectRulesReview = (): SelfSubjectRulesReviewKind => ({
+  kind: 'SelfSubjectRulesReview',
+  apiVersion: 'authorization.k8s.io/v1',
+  spec: {
+    namespace: 'odh-model-registries',
+  },
+  status: {
+    resourceRules: [
+      {
+        verbs: ['create'],
+        apiGroups: ['', 'project.openshift.io'],
+        resources: ['projectrequests'],
+      },
+      {
+        verbs: ['impersonate'],
+        apiGroups: ['authentication.k8s.io'],
+        resources: ['userextras/scopes.authorization.openshift.io'],
+      },
+      {
+        verbs: ['get', 'list', 'watch'],
+        apiGroups: ['helm.openshift.io'],
+        resources: ['helmchartrepositories'],
+      },
+      {
+        verbs: ['create'],
+        apiGroups: ['authorization.k8s.io'],
+        resources: ['selfsubjectaccessreviews', 'selfsubjectrulesreviews'],
+      },
+      {
+        verbs: ['create'],
+        apiGroups: ['authentication.k8s.io'],
+        resources: ['selfsubjectreviews'],
+      },
+      {
+        verbs: ['create'],
+        apiGroups: ['', 'project.openshift.io'],
+        resources: ['projectrequests'],
+      },
+      {
+        verbs: ['get', 'list', 'watch', 'delete'],
+        apiGroups: ['oauth.openshift.io'],
+        resources: ['useroauthaccesstokens'],
+      },
+      {
+        verbs: ['get', 'list', 'watch'],
+        apiGroups: ['snapshot.storage.k8s.io'],
+        resources: ['volumesnapshotclasses'],
+      },
+      {
+        verbs: ['get'],
+        apiGroups: ['', 'user.openshift.io'],
+        resources: ['users'],
+        resourceNames: ['~'],
+      },
+      {
+        verbs: ['list'],
+        apiGroups: ['', 'project.openshift.io'],
+        resources: ['projectrequests'],
+      },
+      {
+        verbs: ['get', 'list'],
+        apiGroups: ['', 'authorization.openshift.io'],
+        resources: ['clusterroles'],
+      },
+      {
+        verbs: ['get', 'list', 'watch'],
+        apiGroups: ['rbac.authorization.k8s.io'],
+        resources: ['clusterroles'],
+      },
+      {
+        verbs: ['get', 'list'],
+        apiGroups: ['storage.k8s.io'],
+        resources: ['storageclasses'],
+      },
+      {
+        verbs: ['list', 'watch'],
+        apiGroups: ['', 'project.openshift.io'],
+        resources: ['projects'],
+      },
+      {
+        verbs: ['create'],
+        apiGroups: ['', 'authorization.openshift.io'],
+        resources: ['selfsubjectrulesreviews'],
+      },
+      {
+        verbs: ['create'],
+        apiGroups: ['authorization.k8s.io'],
+        resources: ['selfsubjectaccessreviews'],
+      },
+      {
+        verbs: ['delete'],
+        apiGroups: ['', 'oauth.openshift.io'],
+        resources: ['oauthaccesstokens', 'oauthauthorizetokens'],
+      },
+      {
+        verbs: ['create'],
+        apiGroups: ['', 'build.openshift.io'],
+        resources: ['builds/source'],
+      },
+      {
+        verbs: ['create'],
+        apiGroups: ['', 'authorization.openshift.io'],
+        resources: ['selfsubjectrulesreviews'],
+      },
+      {
+        verbs: ['create'],
+        apiGroups: ['authorization.k8s.io'],
+        resources: ['selfsubjectaccessreviews'],
+      },
+      {
+        verbs: ['create', 'get'],
+        apiGroups: ['', 'build.openshift.io'],
+        resources: ['buildconfigs/webhooks'],
+      },
+      {
+        verbs: ['create'],
+        apiGroups: ['', 'build.openshift.io'],
+        resources: ['builds/jenkinspipeline'],
+      },
+      {
+        verbs: ['use'],
+        apiGroups: ['security.openshift.io'],
+        resources: ['securitycontextconstraints'],
+        resourceNames: ['restricted-v2'],
+      },
+      {
+        verbs: ['get', 'list', 'watch'],
+        apiGroups: ['console.openshift.io'],
+        resources: [
+          'consoleclidownloads',
+          'consoleexternalloglinks',
+          'consolelinks',
+          'consolenotifications',
+          'consoleplugins',
+          'consolequickstarts',
+          'consolesamples',
+          'consoleyamlsamples',
+        ],
+      },
+      {
+        verbs: ['create'],
+        apiGroups: ['', 'build.openshift.io'],
+        resources: ['builds/docker', 'builds/optimizeddocker'],
+      },
+      {
+        verbs: ['get'],
+        apiGroups: [''],
+        resources: ['services'],
+        resourceNames: ['modelregistry-sample'],
+      },
+      {
+        verbs: ['get'],
+        apiGroups: [''],
+        resources: ['services'],
+        resourceNames: ['dallas-mr'],
+      },
+    ],
+    nonResourceRules: [
+      {
+        verbs: ['get'],
+        nonResourceURLs: ['/healthz', '/healthz/'],
+      },
+      {
+        verbs: ['get'],
+        nonResourceURLs: [
+          '/version',
+          '/version/*',
+          '/api',
+          '/api/*',
+          '/apis',
+          '/apis/*',
+          '/oapi',
+          '/oapi/*',
+          '/openapi/v2',
+          '/swaggerapi',
+          '/swaggerapi/*',
+          '/swagger.json',
+          '/swagger-2.0.0.pb-v1',
+          '/osapi',
+          '/osapi/',
+          '/.well-known',
+          '/.well-known/oauth-authorization-server',
+          '/',
+        ],
+      },
+      {
+        verbs: ['get'],
+        nonResourceURLs: [
+          '/version',
+          '/version/*',
+          '/api',
+          '/api/*',
+          '/apis',
+          '/apis/*',
+          '/oapi',
+          '/oapi/*',
+          '/openapi/v2',
+          '/swaggerapi',
+          '/swaggerapi/*',
+          '/swagger.json',
+          '/swagger-2.0.0.pb-v1',
+          '/osapi',
+          '/osapi/',
+          '/.well-known',
+          '/.well-known/oauth-authorization-server',
+          '/',
+        ],
+      },
+      {
+        verbs: ['get'],
+        nonResourceURLs: [
+          '/api',
+          '/api/*',
+          '/apis',
+          '/apis/*',
+          '/healthz',
+          '/livez',
+          '/openapi',
+          '/openapi/*',
+          '/readyz',
+          '/version',
+          '/version/',
+        ],
+      },
+      {
+        verbs: ['get'],
+        nonResourceURLs: ['/.well-known', '/.well-known/*'],
+      },
+      {
+        verbs: ['get'],
+        nonResourceURLs: ['/healthz', '/livez', '/readyz', '/version', '/version/'],
+      },
+    ],
+    incomplete: false,
+  },
+});

frontend/src/__tests__/cypress/cypress/tests/mocked/modelRegistry/modelRegistry.cy.ts

@@ -1,23 +1,31 @@
 /* eslint-disable camelcase */
-import { mockK8sResourceList, mockRouteK8sResourceModelRegistry } from '~/__mocks__';
+import { mockK8sResourceList } from '~/__mocks__';
 import { mockComponents } from '~/__mocks__/mockComponents';
 import { mockDashboardConfig } from '~/__mocks__/mockDashboardConfig';
-import { mockModelRegistry } from '~/__mocks__/mockModelRegistry';
 import { mockRegisteredModelList } from '~/__mocks__/mockRegisteredModelsList';
 import { labelModal, modelRegistry } from '~/__tests__/cypress/cypress/pages/modelRegistry';
 import { be } from '~/__tests__/cypress/cypress/utils/should';
-import { ModelRegistryModel, RouteModel } from '~/__tests__/cypress/cypress/utils/models';
+import {
+  SelfSubjectAccessReviewModel,
+  SelfSubjectRulesReviewModel,
+  ServiceModel,
+} from '~/__tests__/cypress/cypress/utils/models';
 import { mockModelVersionList } from '~/__mocks__/mockModelVersionList';
 import { mockModelVersion } from '~/__mocks__/mockModelVersion';
 import type { ModelVersion, RegisteredModel } from '~/concepts/modelRegistry/types';
 import { mockRegisteredModel } from '~/__mocks__/mockRegisteredModel';
+import { mockModelRegistryService } from '~/__mocks__/mockModelRegistryService';
+import { asProjectEditUser } from '~/__tests__/cypress/cypress/utils/mockUsers';
+import { mockSelfSubjectRulesReview } from '~/__mocks__/mockSelfSubjectRulesReview';
+import { mockSelfSubjectAccessReview } from '~/__mocks__/mockSelfSubjectAccessReview';
 
 const MODEL_REGISTRY_API_VERSION = 'v1alpha3';
 
 type HandlersProps = {
   disableModelRegistryFeature?: boolean;
   registeredModels?: RegisteredModel[];
   modelVersions?: ModelVersion[];
+  allowed?: boolean;
 };
 
 const initIntercepts = ({
@@ -56,6 +64,7 @@ const initIntercepts = ({
     mockModelVersion({ author: 'Author 1' }),
     mockModelVersion({ name: 'model version' }),
   ],
+  allowed = true,
 }: HandlersProps) => {
   cy.interceptOdh(
     'GET /api/config',
@@ -65,18 +74,28 @@ const initIntercepts = ({
   );
   cy.interceptOdh('GET /api/components', { query: { installed: 'true' } }, mockComponents());
 
+  cy.interceptK8s('POST', SelfSubjectRulesReviewModel, mockSelfSubjectRulesReview());
+
   cy.interceptK8sList(
-    ModelRegistryModel,
-    mockK8sResourceList([mockModelRegistry({}), mockModelRegistry({ name: 'test-registry' })]),
+    ServiceModel,
+    mockK8sResourceList([
+      mockModelRegistryService({ name: 'modelregistry-sample' }),
+      mockModelRegistryService({ name: 'modelregistry-sample-2' }),
+    ]),
   );
 
-  cy.interceptK8s(ModelRegistryModel, mockModelRegistry({}));
+  cy.interceptK8s(ServiceModel, mockModelRegistryService({ name: 'modelregistry-sample' }));
+
+  cy.interceptK8s(ServiceModel, mockModelRegistryService({ name: 'dallas-mr' }));
 
   cy.interceptK8s(
-    RouteModel,
-    mockRouteK8sResourceModelRegistry({
-      name: 'modelregistry-sample-http',
-      namespace: 'odh-model-registries',
+    'POST',
+    SelfSubjectAccessReviewModel,
+    mockSelfSubjectAccessReview({
+      verb: 'list',
+      resource: 'services',
+      group: 'user.openshift.io',
+      allowed,
     }),
   );
 
@@ -187,4 +206,16 @@ describe('Model Registry', () => {
     modelRegistry.findTableRows().should('have.length', 1);
     modelRegistry.findTableRows().contains('Fraud detection model');
   });
+
+  it('should be accessible for non-admin users', () => {
+    asProjectEditUser();
+    initIntercepts({
+      disableModelRegistryFeature: false,
+      allowed: false,
+    });
+
+    modelRegistry.visit();
+    modelRegistry.navigate();
+    modelRegistry.shouldModelRegistrySelectorExist();
+  });
 });