Problem
Konvoy v1.8.3 has a bug when a user without admin roles visits URLs with nonResourceURLs rules ending with an asterisk sign (e.g. /ops/portal/kommander/monitoring/grafana/*),
the "401 Unauthorized" error arises.
The list of the affected roles includes around 20 built-in Konvoy roles (e.g., opsportal-view).
Workaround
Create a new temporary role with nonResourceURLs rules ending with double-asterisk. For example, if the original role looked like this:
- nonResourceURLs:
- /ops/portal/kommander/monitoring/grafana
- /ops/portal/kommander/monitoring/grafana/*
verbs:
- get
- head
the new role should look like that:
- nonResourceURLs:
- /ops/portal/kommander/monitoring/grafana
- /ops/portal/kommander/monitoring/grafana/**
verbs:
- get
- head
It is better not to edit the built-in roles but create and bind the new temporary roles.
Solution
This regression is expected to be fixed in Konvoy v1.8.4.