From 57b16e42fef86c2beeff68ccc4cd88579f458127 Mon Sep 17 00:00:00 2001
From: Richard Cox <richard.cox@suse.com>
Date: Tue, 26 Jan 2021 20:13:55 +0000
Subject: [PATCH 01/13] =?UTF-8?q?Add=20Users=20&=20Auth=20/=20Groups=20pag?=
 =?UTF-8?q?e,=20assign=20Global=20Roles=20to=20Groups=20-=20Add=20groups?=
 =?UTF-8?q?=20page=20with=20table=20to=20the=20auth=20product=20-=20Allow?=
 =?UTF-8?q?=20user=20to=20assign=20roles=20to=20groups=20previously=20with?=
 =?UTF-8?q?out=20roles=20or=20edit=20=C2=A0=20groups=20with=20existing=20r?=
 =?UTF-8?q?oles?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Comments
- I haven't added any special ux for the case where there's no auth
  provider and therefore no groups
- ./components/GlobalRoleBindings.vue will be updated when the same
  component is used for assign global roles to a user principal
- ./components/GlobalRoleBindings.vue ln 139 Couldn't create a binding
  without the generateName metadata property. Have given this a
  `ui-` prefix. Is this correct?
- In order to determine which global roles are bound to each principal
  (so we can filter by principals that have them).. we go out and fetch
  ALL role bindings. Is this too costly?
- On the groups page the 'refresh' button is quite big, we should
  consider reducing this
---
 assets/translations/en-us.yaml                | 101 +++++++-
 components/GlobalRoleBindings.vue             | 220 ++++++++++++++++++
 components/PromptRemove.vue                   |   2 +-
 components/auth/SelectPrincipal.vue           |  43 +++-
 components/form/Checkbox.vue                  |  38 ++-
 components/formatter/Principal.vue            |  19 ++
 .../formatter/PrincipalGroupBindings.vue      |  53 +++++
 config/product/auth.js                        |  67 +++++-
 config/table-headers.js                       |  16 ++
 config/types.js                               |   4 +-
 edit/group.principal.vue                      |  63 +++++
 list/group.principal.vue                      | 102 ++++++++
 models/group.principal.js                     |  61 +++++
 .../management.cattle.io.globalrolebinding.js |  21 ++
 .../auth/group.principal/assign-edit.vue      | 115 +++++++++
 plugins/steve/actions.js                      |   3 +-
 16 files changed, 904 insertions(+), 24 deletions(-)
 create mode 100644 components/GlobalRoleBindings.vue
 create mode 100644 components/formatter/Principal.vue
 create mode 100644 components/formatter/PrincipalGroupBindings.vue
 create mode 100644 edit/group.principal.vue
 create mode 100644 list/group.principal.vue
 create mode 100644 models/group.principal.js
 create mode 100644 models/management.cattle.io.globalrolebinding.js
 create mode 100644 pages/c/_cluster/auth/group.principal/assign-edit.vue

diff --git a/assets/translations/en-us.yaml b/assets/translations/en-us.yaml
index 85e7571762..34c308eb0d 100644
--- a/assets/translations/en-us.yaml
+++ b/assets/translations/en-us.yaml
@@ -106,6 +106,7 @@ suffix:
 ##############################
 # Components & Pages
 ##############################
+
 authConfig:
   accessMode:
     label: 'Configure who should be able to login and use {vendor}'
@@ -250,7 +251,12 @@ authConfig:
     enabled: '{provider} is currently enabled.'
   testAndEnable: Test and Enable Authentication
 
-
+authGroups:
+  actions:
+    refresh: Refresh Group Memberships
+    assignRoles: Assign Global Roles
+  assignEdit:
+    assignTitle: Assign Global Roles To Group
 
 assignTo:
   title: |-
@@ -290,6 +296,10 @@ asyncButton:
     action:  'Delete'
     waiting: 'Deleting&hellip;'
     success: 'Deleted'
+  remove:
+    action:  'Remove'
+    waiting: 'Removing&hellip;'
+    success: 'Removed'
   continue:
     action:  'Continue'
     waiting: 'Saving&hellip;'
@@ -1614,7 +1624,88 @@ rbac:
         defaultLabel: Project Creator Default
       noContext:
         label: No Context
-
+  globalRoles:
+    types:
+      global:
+        label: Global Permissions
+        detail: |-
+          Controls what access the {isUser, select,
+          true {user}
+          false {group}} has to administer the overall {appName} installation.
+      custom:
+        label: Custom
+        detail: Roles not created by Rancher.
+      builtin:
+        label: Built-in
+        detail: Additional roles to define more fine-grain permissions model.
+    unknownRole:
+        detail: No description provided
+    role:
+      admin:
+        label: Administrator
+        detail: Administrators have full control over the entire installation and all resources in all clusters.
+      restricted-admin:
+        label: Restricted Administrator
+        detail: Restricted Admins have full control over all resources in all downstream clusters but no access to the local cluster.
+      user:
+        label: Standard User
+        detail: Standard Users can create new clusters and manage clusters and projects they have been granted access to.
+      user-base:
+        label: User-Base
+        detail: User-Base users have login-access only.
+      clusters-create:
+        label: Create new Clusters
+        detail: Allows the user to create new clusters and become the owner of them.  Standard Users have this permission by default.
+      clustertemplates-create:
+        label: Create new RKE Cluster Templates
+        detail: Allows the user to create new RKE cluster templates and become the owner of them.
+      authn-manage:
+        label: Configure Authentication
+        detail: Allows the user to enable, configure, and disable all Authentication provider settings.
+      catalogs-manage:
+        label: Configure Catalogs
+        detail: Allows the user to add, edit, and remove Catalogs.
+      clusters-manage:
+        label: Manage all Clusters
+        detail: Allows the user to manage all clusters, including ones they are not a member of.
+      clusterscans-manage:
+        label: Manage CIS Cluster Scans
+        detail: Allows the user to launch new and manage CIS cluster scans.
+      kontainerdrivers-manage:
+        label: Create new Cluster Drivers
+        detail: Allows the user to create new cluster drivers and become the owner of them.
+      features-manage:
+        label: Configure Feature Flags
+        detail: Allows the user to enable and disable custom features via feature flag settings.
+      nodedrivers-manage:
+        label: Configure Node Drivers
+        detail: Allows the user to enable, configure, and remove all Node Driver settings.
+      nodetemplates-manage:
+        label: Manage Node Templates
+        detail: Allows the user to define, edit, and remove Node Templates.
+      podsecuritypolicytemplates-manage:
+        label: Manage Pod Security Policies (PSPs)
+        detail: Allows the user to define, edit, and remove PSPs.
+      roles-manage:
+        label: Manage Roles
+        detail: Allows the user to define, edit, and remove Role definitions.
+      settings-manage:
+        label: Manage Settings
+        detail: Allows the user to manage Rancher Settings.
+      users-manage:
+        label: Manage Users
+        detail: Allows the user to create, remove, and set passwords for all Users.
+      catalogs-use:
+        label: Use Catalogs
+        detail: Allows the user to see and deploy Templates from the Catalog.  Standard Users have this permission by default.
+      nodetemplates-use:
+        label: Use Node Templates
+        detail: Allows the user to deploy new Nodes using any existing Node Templates.
+      view-rancher-metrics:
+        label: View Rancher Metrics
+        detail: Allows the user to view Metrics through the API.
+      base:
+        label: Login Access
 
 resourceDetail:
   detailTop:
@@ -2888,6 +2979,11 @@ typeLabel:
       one { RKE2 Cluster }
       other { RKE2 Clusters }
     }
+  group.principal: |-
+    {count, plural,
+      one { Group }
+      other { Groups }
+    }
 
 action:
   clone: Clone
@@ -2905,6 +3001,7 @@ action:
   show: Show
   hide: Hide
   copy: Copy
+  unassign: 'Unassign'
 
 unit:
   sec: secs
diff --git a/components/GlobalRoleBindings.vue b/components/GlobalRoleBindings.vue
new file mode 100644
index 0000000000..209ac4a639
--- /dev/null
+++ b/components/GlobalRoleBindings.vue
@@ -0,0 +1,220 @@
+
+<script>
+import { mapGetters } from 'vuex';
+import { RBAC } from '@/config/types';
+import Checkbox from '@/components/form/Checkbox';
+import { _VIEW } from '@/config/query-params';
+import Loading from '@/components/Loading';
+
+export default {
+  components: {
+    Checkbox,
+    Loading,
+  },
+  props:      {
+    mode: {
+      type:    String,
+      default: _VIEW,
+    },
+    principalId: {
+      type:     String,
+      default: ''
+    },
+  },
+  async fetch() {
+    try {
+      this.allRoles = await this.$store.dispatch('management/findAll', { type: RBAC.GLOBAL_ROLE });
+
+      if (!this.sortedRoles) {
+        this.sortedRoles = {
+          global:  {},
+          builtin: {},
+          custom:  {}
+        };
+
+        this.allRoles.forEach((role) => {
+          const type = this.getRoleType(role);
+
+          if (type) {
+            this.sortedRoles[type][role.id] = {
+              label:       this.t(`rbac.globalRoles.role.${ role.id }.label`) || role.displayName,
+              description: this.t(`rbac.globalRoles.role.${ role.id }.detail`) || role.description || this.t(`rbac.globalRoles.unknownRole.detail`),
+              id:          role.id,
+              role,
+            };
+          }
+        });
+
+        // Moving this out into the watch has issues....
+        this.globalRoleBindings = await this.$store.dispatch('management/findAll', { type: RBAC.GLOBAL_ROLE_BINDING });
+
+        this.update();
+      }
+    } catch (e) { }
+  },
+  data() {
+    return {
+      globalPermissions: [
+        'admin',
+        'restricted-admin',
+        'user',
+        'user-base',
+      ],
+      user:               null, // TODO: Populate in edit user mode
+      globalRoleBindings: null,
+      sortedRoles:        null,
+      selectedRoles:      [],
+      roleChanges:        {}
+    };
+  },
+  computed: { ...mapGetters({ t: 'i18n/t' }) },
+  watch:    {
+    principalId(principalId, oldPrincipalId) {
+      if (principalId === oldPrincipalId) {
+        return;
+      }
+      this.update();
+    }
+  },
+  methods: {
+    getRoleType(role) {
+      if (this.globalPermissions.find(p => p === role.id)) {
+        return 'global';
+      } else if (role.hidden) {
+        return null;
+      } else if (role.builtin) {
+        return 'builtin';
+      } else {
+        return 'custom';
+      }
+    },
+    getUnique(...ids) {
+      return `${ this.principalId }-${ ids.join('-') }`;
+    },
+    update() {
+      if (!this.principalId) {
+        return;
+      }
+
+      this.selectedRoles = [];
+      this.startingSelectedRoles = [];
+
+      const boundRoles = this.globalRoleBindings.filter(globalRoleBinding => globalRoleBinding.groupPrincipalName === this.principalId);
+
+      Object.entries(this.sortedRoles).forEach(([type, types]) => {
+        Object.entries(types).forEach(([roleId, mappedRole]) => {
+          const boundRole = boundRoles.find(boundRole => boundRole.globalRoleName === roleId);
+
+          if (!!boundRole) {
+            this.selectedRoles.push(roleId);
+            this.startingSelectedRoles.push({
+              roleId,
+              bindingId: boundRole.id
+            });
+          }
+        });
+      });
+
+      // TODO: If in create user mode... apply default selection using role.newUserDefault
+      // TODO: If in create/edit user mode... apply validation as per rancher/ui lib/global-admin/addon/components/form-global-roles/component.js
+      // Should validation come in via validationErrors property on model?
+    },
+    checkboxChanged() {
+      const addRoles = this.selectedRoles
+        .filter(selected => !this.startingSelectedRoles.find(startingRole => startingRole.roleId === selected));
+      const removeBindings = this.startingSelectedRoles
+        .filter(startingRole => !this.selectedRoles.find(selected => selected === startingRole.roleId))
+        .map(startingRole => startingRole.bindingId);
+
+      this.roleChanges = {
+        initialRoles: this.startingSelectedRoles,
+        addRoles,
+        removeBindings
+      };
+      this.$emit('changed', this.roleChanges);
+    },
+    async saveAddedRoles() {
+      const newBindings = await Promise.all(this.roleChanges.addRoles.map(role => this.$store.dispatch(`management/create`, {
+        type:               RBAC.GLOBAL_ROLE_BINDING,
+        metadata:           { generateName: `ui-` },
+        globalRoleName:     role,
+        groupPrincipalName: this.principalId,
+      })));
+
+      await Promise.all(newBindings.map(newBinding => newBinding.save()));
+    },
+    async saveRemovedRoles() {
+      const existingBindings = await Promise.all(this.roleChanges.removeBindings.map(bindingId => this.$store.dispatch('management/find', {
+        type: RBAC.GLOBAL_ROLE_BINDING,
+        id:   bindingId
+      })));
+
+      await Promise.all(existingBindings.map(existingBinding => existingBinding.remove()));
+    },
+    async save() {
+      await this.saveAddedRoles();
+      await this.saveRemovedRoles();
+    }
+  }
+};
+</script>
+
+<template>
+  <Loading v-if="$fetchState.pending" />
+
+  <div v-else>
+    <form v-if="selectedRoles">
+      <div v-for="(sortedRole, type) in sortedRoles" :key="getUnique(type)" class="role-group mb-10">
+        <template v-if="Object.keys(sortedRole).length">
+          <h2>{{ t(`rbac.globalRoles.types.${type}.label`) }}</h2>
+          <div class="type-description mb-10">
+            {{ t(`rbac.globalRoles.types.${type}.detail`, { type: 'Application', isUser: !!user }) }}
+          </div>
+          <div class="checkbox-section" :class="'checkbox-section--' + type">
+            <div v-for="(role, roleId) in sortedRoles[type]" :key="getUnique(type, roleId)" class="checkbox mb-10 mr-10">
+              <Checkbox
+                :key="getUnique(type, roleId, 'checkbox')"
+                v-model="selectedRoles"
+                :value-when-true="roleId"
+                :label="role.label"
+                :mode="mode"
+                @input="checkboxChanged"
+              />
+              <div class="description">
+                {{ role.description }}
+              </div>
+            </div>
+          </div>
+        </template>
+      </div>
+    </form>
+  </div>
+</template>
+
+<style lang='scss' scoped>
+  $detailSize: 11px;
+  .role-group {
+    .type-description {
+      font-size: $detailSize;
+    }
+    .checkbox-section {
+      display: grid;
+
+      grid-template-columns: repeat(3, 1fr);
+
+      &--global {
+        grid-template-columns: 100%;
+      }
+
+      .checkbox {
+        display: flex;
+        flex-direction: column;
+
+        .description {
+          font-size: $detailSize;
+          margin-top: 5px;
+        }
+      }
+    }
+  }
+</style>
diff --git a/components/PromptRemove.vue b/components/PromptRemove.vue
index 30f890054b..91414d3278 100644
--- a/components/PromptRemove.vue
+++ b/components/PromptRemove.vue
@@ -269,7 +269,7 @@ export default {
         <button class="btn role-secondary" @click="close">
           Cancel
         </button>
-        <AsyncButton mode="delete" class="btn bg-error ml-10" :disabled="preventDelete" @click="remove" />
+        <AsyncButton mode="remove" class="btn bg-error ml-10" :disabled="preventDelete" @click="remove" />
       </template>
     </Card>
   </modal>
diff --git a/components/auth/SelectPrincipal.vue b/components/auth/SelectPrincipal.vue
index b43fab4b4a..bcb7683726 100644
--- a/components/auth/SelectPrincipal.vue
+++ b/components/auth/SelectPrincipal.vue
@@ -22,6 +22,17 @@ export default {
       default() {
         return ['group'];
       },
+    },
+
+    // either 'user' or 'group'
+    searchGroupTypes: {
+      type:    String,
+      default: null,
+    },
+
+    retainSelection: {
+      type:    Boolean,
+      default: false
     }
   },
 
@@ -68,7 +79,9 @@ export default {
   methods: {
     add(id) {
       this.$emit('add', id);
-      this.newValue = '';
+      if (!this.retainSelection) {
+        this.newValue = '';
+      }
     },
 
     onSearch(str, loading, vm) {
@@ -97,7 +110,10 @@ export default {
           type:       NORMAN.PRINCIPAL,
           actionName: 'search',
           opt:        { url: '/v3/principals?action=search' },
-          body:       { name: str }
+          body:       {
+            name:          str,
+            principalType: this.searchGroupTypes
+          }
         });
 
         if ( this.searchStr === str ) {
@@ -113,18 +129,18 @@ export default {
   }
 };
 </script>
-}
-</script>
 
 <template>
   <LabeledSelect
     v-model="newValue"
     :mode="mode"
-    label="Add Member"
+    :label="retainSelection ? `Select Member` : `Add Member`"
     placeholder="Start typing to search for principals"
     :options="options"
     :searchable="true"
     :filterable="false"
+    class="select-principal"
+    :class="{'retain-selection': retainSelection}"
     @input="add"
     @search="onSearch"
   >
@@ -137,5 +153,22 @@ export default {
     <template #option="option">
       <Principal :key="option.label" :value="option.label" :use-muted="false" />
     </template>
+
+    <template v-if="retainSelection" #selected-option="option">
+      <Principal :key="option.label" :value="option.label" :use-muted="false" class="mt-10 mb-10" />
+    </template>
   </LabeledSelect>
 </template>
+
+<style lang="scss" scoped>
+  .select-principal {
+    &.retain-selection {
+      min-height: 84px;
+      &.focused {
+        .principal {
+          display: none;
+        }
+      }
+    }
+  }
+</style>
diff --git a/components/form/Checkbox.vue b/components/form/Checkbox.vue
index 8e8cf4181b..0e04d7b5bc 100644
--- a/components/form/Checkbox.vue
+++ b/components/form/Checkbox.vue
@@ -1,11 +1,11 @@
 <script>
 import $ from 'jquery';
-import { _EDIT } from '@/config/query-params';
+import { _EDIT, _VIEW } from '@/config/query-params';
 
 export default {
   props: {
     value: {
-      type:    Boolean,
+      type:    [Boolean, Array],
       default: false
     },
 
@@ -43,11 +43,19 @@ export default {
       type:    String,
       default: null
     },
+
+    valueWhenTrue: {
+      type:    null,
+      default: true
+    },
   },
 
   computed: {
     isDisabled() {
-      return (this.disabled || this.mode === 'view' );
+      return (this.disabled || this.mode === _VIEW );
+    },
+    isChecked() {
+      return this.isMulti() ? this.value.find(v => v === this.valueWhenTrue) : this.value === this.valueWhenTrue;
     }
   },
 
@@ -61,9 +69,22 @@ export default {
         click.ctrlKey = event.ctrlKey;
         click.metaKey = event.metaKey;
 
-        this.$emit('input', !this.value);
-        $(this.$el).trigger(click);
+        // Flip the value
+        if (this.isMulti()) {
+          if (this.isChecked) {
+            this.value.splice(this.value.indexOf(this.valueWhenTrue), 1);
+          } else {
+            this.value.push(this.valueWhenTrue);
+          }
+          this.$emit('input', this.value);
+        } else {
+          this.$emit('input', !this.value);
+          $(this.$el).trigger(click);
+        }
       }
+    },
+    isMulti() {
+      return Array.isArray(this.value);
     }
   }
 };
@@ -72,14 +93,15 @@ export default {
 <template>
   <label
     class="checkbox-container"
-    :class="{disabled}"
+    :class="{ 'disabled': isDisabled}"
     @keydown.enter.prevent="clicked($event)"
     @keydown.space.prevent="clicked($event)"
     @click.stop.prevent="clicked($event)"
   >
     <input
-      :checked="value"
-      :v-model="value"
+      v-model="value"
+      :checked="isChecked"
+      :value="valueWhenTrue"
       type="checkbox"
       :tabindex="-1"
       @click.stop.prevent
diff --git a/components/formatter/Principal.vue b/components/formatter/Principal.vue
new file mode 100644
index 0000000000..7f9a2dd2bb
--- /dev/null
+++ b/components/formatter/Principal.vue
@@ -0,0 +1,19 @@
+<script>
+import PrincipalComponent from '@/components/auth/Principal';
+
+export default {
+  components: { PrincipalComponent },
+  props:      {
+    value: {
+      type:     String,
+      default: ''
+    },
+  },
+};
+</script>
+
+<template>
+  <div>
+    <PrincipalComponent :key="value" :value="value" :use-muted="false" />
+  </div>
+</template>
diff --git a/components/formatter/PrincipalGroupBindings.vue b/components/formatter/PrincipalGroupBindings.vue
new file mode 100644
index 0000000000..a468ebd725
--- /dev/null
+++ b/components/formatter/PrincipalGroupBindings.vue
@@ -0,0 +1,53 @@
+<script>
+import { NORMAN, RBAC } from '@/config/types';
+
+export default {
+  props:      {
+    value: {
+      type:     String,
+      default: ''
+    },
+  },
+  computed: {
+
+    boundRoles() {
+      const principal = this.$store.getters['rancher/byId'](NORMAN.PRINCIPAL, this.value);
+      const globalRoleBindings = this.$store.getters['management/all'](RBAC.GLOBAL_ROLE_BINDING);
+
+      return globalRoleBindings
+        // Bindings for this group
+        .filter(globalRoleBinding => globalRoleBinding.groupPrincipalName === principal.id)
+        // Display name of role associated with binding
+        .map((binding) => {
+          const role = this.$store.getters['management/byId'](RBAC.GLOBAL_ROLE, binding.globalRoleName);
+
+          return {
+            detailLocation: role.detailLocation,
+            label:          role ? role.displayName : role.id, // nameDisplay contains principal name, not required here
+          };
+        })
+        .sort((a, b) => a.label.localeCompare(b.label));
+    }
+  }
+};
+</script>
+
+<template>
+  <div class="pgb">
+    <template v-for="(role, i) in boundRoles">
+      <nuxt-link :key="role.id" :to="role.detailLocation">
+        {{ role.label }}
+      </nuxt-link>
+      <template v-if="i + 1 < boundRoles.length">
+        ,&nbsp;
+      </template>
+    </template>
+  </div>
+</template>
+
+<style lang='scss' scoped>
+.pgb{
+  display: flex;
+  flex-wrap: wrap;
+}
+</style>
diff --git a/config/product/auth.js b/config/product/auth.js
index 4e7355a4d9..bd30b644d8 100644
--- a/config/product/auth.js
+++ b/config/product/auth.js
@@ -1,6 +1,7 @@
 import { DSL } from '@/store/type-map';
 // import { STATE, NAME as NAME_COL, AGE } from '@/config/table-headers';
-import { MANAGEMENT } from '@/config/types';
+import { MANAGEMENT, NORMAN, RBAC } from '@/config/types';
+import { GROUP_NAME, GROUP_ROLE_NAME } from '@/config/table-headers';
 
 export const NAME = 'auth';
 
@@ -8,11 +9,12 @@ export function init(store) {
   const {
     product,
     basicType,
-    // weightType,
+    weightType,
     configureType,
     componentForType,
-    // headers,
-    // mapType,
+    headers,
+    mapType,
+    spoofedType,
     virtualType,
   } = DSL(store, NAME);
 
@@ -21,7 +23,7 @@ export function init(store) {
     inStore:             'management',
     icon:                'user',
     removable:           false,
-    weight:              -1,
+    weight:              50,
     showClusterSwitcher: false,
   });
 
@@ -34,6 +36,54 @@ export function init(store) {
     route:       { name: 'c-cluster-auth-config' },
   });
 
+  spoofedType({
+    label:             store.getters['type-map/labelFor']({ id: NORMAN.SPOOFED.GROUP_PRINCIPAL }, 2),
+    type:              NORMAN.SPOOFED.GROUP_PRINCIPAL,
+    collectionMethods: [],
+    schemas:           [
+      {
+        id:                NORMAN.SPOOFED.GROUP_PRINCIPAL,
+        type:              'schema',
+        collectionMethods: [],
+        resourceFields:    {},
+      }
+    ],
+    getInstances: async() => {
+      const principals = await store.dispatch('rancher/findAll', {
+        type: NORMAN.PRINCIPAL,
+        opt:  { url: '/v3/principals' }
+      });
+      const globalRoleBindings = await store.dispatch('management/findAll', {
+        type: RBAC.GLOBAL_ROLE_BINDING,
+        opt:  { force: true }
+      });
+
+      // Up front fetch all global roles, instead of individually when needed (results in many duplicated requests)
+      await store.dispatch('management/findAll', { type: RBAC.GLOBAL_ROLE });
+
+      return principals
+        .filter(principal => principal.principalType === 'group' &&
+          !!globalRoleBindings.find(globalRoleBinding => globalRoleBinding.groupPrincipalName === principal.id)
+        )
+        .map(principal => ({
+          ...principal,
+          type: NORMAN.SPOOFED.GROUP_PRINCIPAL
+        }));
+    }
+  });
+  configureType(NORMAN.SPOOFED.GROUP_PRINCIPAL, {
+    isCreatable:      false,
+    showAge:          false,
+    showState:        false,
+    isRemovable:      false,
+    showListMasthead: false,
+  });
+
+  // Use labelFor... so lookup succeeds with .'s in path.... and end result is 'trimmed' as per other entries
+  mapType(NORMAN.SPOOFED.GROUP_PRINCIPAL, store.getters['type-map/labelFor']({ id: NORMAN.SPOOFED.GROUP_PRINCIPAL }, 2));
+
+  weightType(NORMAN.SPOOFED.GROUP_PRINCIPAL, -1, true);
+  weightType(MANAGEMENT.USER, 100);
   configureType(MANAGEMENT.USER, { showListMasthead: false });
 
   configureType(MANAGEMENT.AUTH_CONFIG, {
@@ -57,6 +107,11 @@ export function init(store) {
   basicType([
     'config',
     MANAGEMENT.USER,
-    // MANAGEMENT.GROUP,
+    NORMAN.SPOOFED.GROUP_PRINCIPAL
+  ]);
+
+  headers(NORMAN.SPOOFED.GROUP_PRINCIPAL, [
+    GROUP_NAME,
+    GROUP_ROLE_NAME
   ]);
 }
diff --git a/config/table-headers.js b/config/table-headers.js
index e51c9f8b10..144b5f4563 100644
--- a/config/table-headers.js
+++ b/config/table-headers.js
@@ -704,3 +704,19 @@ export const CONFIGURED_RECEIVER = {
   formatter:     'Link',
   formatterOpts: { options: { internal: true } },
 };
+
+export const GROUP_NAME = {
+  name:      'group-name',
+  label:     'Group Name',
+  value:     'id',
+  sort:      ['name'],
+  search:    ['name'],
+  formatter: 'Principal',
+  width:     350
+};
+export const GROUP_ROLE_NAME = {
+  name:      'group-role-names',
+  label:     'Group Role Names',
+  value:     'id',
+  formatter: 'PrincipalGroupBindings',
+};
diff --git a/config/types.js b/config/types.js
index 718778fd01..356f6071dd 100644
--- a/config/types.js
+++ b/config/types.js
@@ -15,7 +15,9 @@ export const NORMAN = {
   AUTH_CONFIG: 'authconfig',
   PRINCIPAL:   'principal',
   USER:        'user',
-  TOKEN:        'token',
+  TOKEN:       'token',
+  GROUP:       'group',
+  SPOOFED:     { GROUP_PRINCIPAL: 'group.principal' }
 };
 
 // Public (via Norman)
diff --git a/edit/group.principal.vue b/edit/group.principal.vue
new file mode 100644
index 0000000000..b5c720977f
--- /dev/null
+++ b/edit/group.principal.vue
@@ -0,0 +1,63 @@
+<script>
+import CreateEditView from '@/mixins/create-edit-view';
+import GlobalRoleBindings from '@/components/GlobalRoleBindings.vue';
+import CruResource from '@/components/CruResource';
+import { exceptionToErrorsArray } from '@/utils/error';
+import { NORMAN } from '@/config/types';
+
+export default {
+  components: {
+    GlobalRoleBindings,
+    CruResource
+  },
+  mixins: [CreateEditView],
+  data() {
+    return {
+      errors:       [],
+      valid:  false,
+    };
+  },
+  methods:  {
+    async save(buttonDone) {
+      this.errors = [];
+
+      try {
+        await this.$refs.grb.save();
+
+        await this.$store.dispatch('cluster/findAll', {
+          type: NORMAN.SPOOFED.GROUP_PRINCIPAL,
+          opt:  { force: true }
+        }, { root: true }); // See PromptRemove.vue
+
+        this.$router.replace({ name: this.doneRoute });
+        buttonDone(true);
+      } catch (err) {
+        this.errors = exceptionToErrorsArray(err);
+        buttonDone(false);
+      }
+    },
+    changed(changes) {
+      this.valid = !!changes.addRoles.length || !!changes.removeBindings.length;
+    },
+  }
+};
+</script>
+
+<template>
+  <div>
+    <CruResource
+      :done-route="doneRoute"
+      :mode="mode"
+      :resource="value"
+      :validation-passed="valid"
+      :errors="errors"
+      :can-yaml="false"
+      @finish="save"
+    >
+      <GlobalRoleBindings ref="grb" :principal-id="value.id" :mode="mode" @changed="changed" />
+    </CruResource>
+  </div>
+</template>
+
+<style lang="scss" scoped>
+</style>
diff --git a/list/group.principal.vue b/list/group.principal.vue
new file mode 100644
index 0000000000..af8123cf00
--- /dev/null
+++ b/list/group.principal.vue
@@ -0,0 +1,102 @@
+<script>
+import ResourceTable from '@/components/ResourceTable';
+import Loading from '@/components/Loading';
+import Masthead from '@/components/ResourceList/Masthead';
+import { NORMAN } from '@/config/types';
+import AsyncButton from '@/components/AsyncButton';
+import { applyProducts } from '@/store/type-map';
+import { NAME } from '@/config/product/auth';
+import { MODE, _EDIT } from '@/config/query-params';
+
+export default {
+  components: {
+    AsyncButton, ResourceTable, Masthead, Loading
+  },
+  props: {
+    resource: {
+      type:     String,
+      required: true,
+    },
+
+    schema: {
+      type:     Object,
+      required: true,
+    },
+  },
+  async fetch() {
+    this.rows = await this.$store.dispatch('cluster/findAll', { type: NORMAN.SPOOFED.GROUP_PRINCIPAL }, { root: true }); // See PromptRemove.vue
+  },
+  data() {
+    return {
+      rows:           null,
+      assignLocation:  {
+        // TODO: Q
+        path:   `/c/local/${ NAME }/${ NORMAN.SPOOFED.GROUP_PRINCIPAL }/assign-edit`,
+        query: { [MODE]: _EDIT }
+      }
+    };
+  },
+  computed: {
+    hasRows() {
+      return this.rows?.length > 0;
+    }
+  },
+  methods: {
+    async refreshGroupMemberships(buttonDone) {
+      try {
+        await this.$store.dispatch('rancher/request', {
+          url:           '/v3/users?action=refreshauthprovideraccess',
+          method:        'post',
+          data:          { },
+        });
+
+        // In SPA this is not needed. In SSR I think this runs client side... where this has not been called (not sure how not...)
+        // If this is not here... when cluster/findAll is dispatched... we fail to find the spoofed type's getInstance fn as it hasn't been
+        // registered yet
+        await applyProducts(this.$store);
+
+        this.rows = await this.$store.dispatch('cluster/findAll', {
+          type: NORMAN.SPOOFED.GROUP_PRINCIPAL,
+          opt:  { force: true }
+        }, { root: true });
+
+        buttonDone(true);
+      } catch (err) {
+        this.$store.dispatch('growl/fromError', { title: 'Error refreshing group memberships', err }, { root: true });
+        buttonDone(false);
+      }
+    },
+  },
+
+};
+</script>
+
+<template>
+  <Loading v-if="$fetchState.pending" />
+  <div v-else>
+    <Masthead
+      :schema="schema"
+      :resource="resource"
+    >
+      <template slot="extraActions">
+        <AsyncButton
+          mode="refresh"
+          :action-label="t('authGroups.actions.refresh')"
+          :waiting-label="t('authGroups.actions.refresh')"
+          :success-label="t('authGroups.actions.refresh')"
+          :error-label="t('authGroups.actions.refresh')"
+          @click="refreshGroupMemberships"
+        />
+        <n-link
+          v-if="hasRows"
+          :to="assignLocation"
+          class="btn role-primary"
+        >
+          {{ t("authGroups.actions.assignRoles") }}
+        </n-link>
+      </template>
+    </Masthead>
+
+    <ResourceTable :schema="schema" :rows="rows" />
+  </div>
+</template>
diff --git a/models/group.principal.js b/models/group.principal.js
new file mode 100644
index 0000000000..d4acae8427
--- /dev/null
+++ b/models/group.principal.js
@@ -0,0 +1,61 @@
+import { NORMAN, RBAC } from '@/config/types';
+import { clone } from '@/utils/object';
+import principal from './principal';
+
+export default {
+
+  ...principal,
+
+  canViewInApi() {
+    return false;
+  },
+
+  nameDisplay() {
+    return this.principalNameDisplay;
+  },
+
+  principalNameDisplay() {
+    const principal = this.$rootGetters['rancher/byId'](NORMAN.PRINCIPAL, this.id);
+
+    return `${ principal.name } (${ principal.displayType })`;
+  },
+
+  detailLocation() {
+    const detailLocation = clone(this._detailLocation);
+
+    detailLocation.params.id = this.id; // Base fn removes part of the id (`github_team://3375666` --> `3375666`)
+
+    return detailLocation;
+  },
+
+  availableActions() {
+    return [
+      {
+        action:  'goToEdit',
+        label:   this.t('action.edit'),
+        icon:    'icon icon-edit',
+        enabled:  true,
+      },
+      {
+        action:     'unassignGroupRoles',
+        label:      this.t('action.unassign'),
+        icon:       'icon icon-trash',
+        bulkable:   true,
+        enabled:    true,
+        bulkAction: 'unassignGroupRoles',
+      },
+    ];
+  },
+
+  unassignGroupRoles() {
+    return (resources = this) => {
+      const principals = Array.isArray(resources) ? resources : [resources];
+
+      const globalRoleBindings = this.$rootGetters['management/all'](RBAC.GLOBAL_ROLE_BINDING)
+        .filter(globalRoleBinding => principals.find(principal => principal.id === globalRoleBinding.groupPrincipalName));
+
+      this.$dispatch('promptRemove', globalRoleBindings);
+    };
+  },
+
+};
diff --git a/models/management.cattle.io.globalrolebinding.js b/models/management.cattle.io.globalrolebinding.js
new file mode 100644
index 0000000000..541922fa25
--- /dev/null
+++ b/models/management.cattle.io.globalrolebinding.js
@@ -0,0 +1,21 @@
+import { NORMAN, RBAC } from '@/config/types';
+
+export default {
+  nameDisplay() {
+    const roleName = this.$getters['byId'](RBAC.GLOBAL_ROLE, this.globalRoleName);
+
+    const ownersName = this.groupPrincipalName ? this._displayPrincipal : this._displayUser;
+
+    return `${ roleName.displayName } (${ ownersName })` ;
+  },
+
+  _displayPrincipal() {
+    const principal = this.$rootGetters['rancher/byId'](NORMAN.PRINCIPAL, this.groupPrincipalName);
+
+    return `${ principal.name } - ${ principal.displayType }`;
+  },
+
+  _displayUser() {
+    return this.user;
+  }
+};
diff --git a/pages/c/_cluster/auth/group.principal/assign-edit.vue b/pages/c/_cluster/auth/group.principal/assign-edit.vue
new file mode 100644
index 0000000000..baeb1d7db3
--- /dev/null
+++ b/pages/c/_cluster/auth/group.principal/assign-edit.vue
@@ -0,0 +1,115 @@
+<script>
+import FooterComponent from '@/components/form/Footer';
+import SelectPrincipal from '@/components/auth/SelectPrincipal.vue';
+import GlobalRoleBindings from '@/components/GlobalRoleBindings.vue';
+import { NORMAN } from '@/config/types';
+import { _VIEW } from '@/config/query-params';
+import { exceptionToErrorsArray } from '@/utils/error';
+import { NAME } from '@/config/product/auth';
+
+export default {
+  components: {
+    SelectPrincipal,
+    FooterComponent,
+    GlobalRoleBindings,
+  },
+  data() {
+    return {
+      errors:       [],
+      principalId:  null,
+    };
+  },
+  computed: {
+    mode() {
+      return !this.principalId ? _VIEW : this.$route.query.mode || _VIEW;
+    }
+  },
+  methods: {
+    setPrincipal(id) {
+      this.principalId = id;
+
+      return true;
+    },
+    async cancel() {
+      await this.return();
+    },
+    async save(buttonDone) {
+      this.errors = [];
+
+      try {
+        await this.$refs.grb.save();
+
+        await this.$store.dispatch('cluster/findAll', {
+          type: NORMAN.SPOOFED.GROUP_PRINCIPAL,
+          opt:  { force: true }
+        }, { root: true }); // See PromptRemove.vue
+
+        this.$router.replace({
+          name:   `c-cluster-product-resource`,
+          params: {
+            cluster:  'local',
+            product:  NAME,
+            resource: NORMAN.SPOOFED.GROUP_PRINCIPAL,
+          },
+        });
+
+        buttonDone(true);
+      } catch (err) {
+        this.errors = exceptionToErrorsArray(err);
+        buttonDone(false);
+      }
+    },
+  }
+};
+
+</script>
+
+<template>
+  <div>
+    <div>
+      <div class="masthead">
+        <header>
+          <div class="title">
+            <h1 class="m-0">
+              {{ t('authGroups.assignEdit.assignTitle') }}
+            </h1>
+          </div>
+        </header>
+      </div>
+
+      <form>
+        <SelectPrincipal :retain-selection="true" class="mb-20" :show-my-group-types="['group']" :search-group-types="'group'" @add="setPrincipal" />
+
+        <GlobalRoleBindings ref="grb" :principal-id="principalId" :mode="mode" />
+
+        <FooterComponent
+          :mode="mode"
+          :errors="errors"
+          @save="save"
+          @done="cancel"
+        >
+        </footercomponent>
+      </form>
+    </div>
+  </div>
+</template>
+
+<style lang="scss" scoped>
+  .masthead {
+    padding-bottom: 10px;
+    border-bottom: 1px solid var(--border);
+    margin-bottom: 10px;
+  }
+  HEADER {
+    margin: 0;
+  }
+  .actions {
+    display: flex;
+    justify-content: flex-end;
+    align-items:center;
+
+    .btn {
+      margin-left: 10px;
+    }
+  }
+</style>
diff --git a/plugins/steve/actions.js b/plugins/steve/actions.js
index 6dc1978977..3151f38c31 100644
--- a/plugins/steve/actions.js
+++ b/plugins/steve/actions.js
@@ -13,7 +13,8 @@ export default {
     // Spoofing is handled here to ensure it's done for both yaml and form editing.
     // It became apparent that this was the only place that both intersected
     if (opt.url.includes(SPOOFED_PREFIX) || opt.url.includes(SPOOFED_API_PREFIX)) {
-      const [empty, scheme, type, id] = opt.url.split('/'); // eslint-disable-line no-unused-vars
+      const [empty, scheme, type, ...rest] = opt.url.split('/'); // eslint-disable-line no-unused-vars
+      const id = rest.join('/'); // Cover case where id contains '/'
       const isApi = scheme === SPOOFED_API_PREFIX;
       const typemapGetter = id ? 'getSpoofedInstance' : 'getSpoofedInstances';
       const schemas = await rootGetters['cluster/all'](SCHEMA);

From b17797a5b1f5c024dc0f22d1928287ec905fac5b Mon Sep 17 00:00:00 2001
From: Richard Cox <richard.cox@suse.com>
Date: Thu, 28 Jan 2021 13:59:11 +0000
Subject: [PATCH 02/13] Fixes & Changes following review

---
 components/GlobalRoleBindings.vue |  1 +
 components/form/Checkbox.vue      |  5 +++--
 list/group.principal.vue          | 13 ++++++-------
 3 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/components/GlobalRoleBindings.vue b/components/GlobalRoleBindings.vue
index 209ac4a639..abc38464ed 100644
--- a/components/GlobalRoleBindings.vue
+++ b/components/GlobalRoleBindings.vue
@@ -152,6 +152,7 @@ export default {
       await Promise.all(existingBindings.map(existingBinding => existingBinding.remove()));
     },
     async save() {
+      // Ensure roles are added before removed (in case by removing one user is unable to add another)
       await this.saveAddedRoles();
       await this.saveRemovedRoles();
     }
diff --git a/components/form/Checkbox.vue b/components/form/Checkbox.vue
index 0e04d7b5bc..ae6fd35256 100644
--- a/components/form/Checkbox.vue
+++ b/components/form/Checkbox.vue
@@ -1,6 +1,7 @@
 <script>
 import $ from 'jquery';
 import { _EDIT, _VIEW } from '@/config/query-params';
+import { addObject, removeObject } from '@/utils/array';
 
 export default {
   props: {
@@ -72,9 +73,9 @@ export default {
         // Flip the value
         if (this.isMulti()) {
           if (this.isChecked) {
-            this.value.splice(this.value.indexOf(this.valueWhenTrue), 1);
+            removeObject(this.value, this.valueWhenTrue);
           } else {
-            this.value.push(this.valueWhenTrue);
+            addObject(this.value, this.valueWhenTrue);
           }
           this.$emit('input', this.value);
         } else {
diff --git a/list/group.principal.vue b/list/group.principal.vue
index af8123cf00..3b7f13b03a 100644
--- a/list/group.principal.vue
+++ b/list/group.principal.vue
@@ -25,22 +25,21 @@ export default {
   },
   async fetch() {
     this.rows = await this.$store.dispatch('cluster/findAll', { type: NORMAN.SPOOFED.GROUP_PRINCIPAL }, { root: true }); // See PromptRemove.vue
+
+    const principals = await this.$store.dispatch('rancher/findAll', { type: NORMAN.PRINCIPAL, opt: { url: '/v3/principals' } });
+
+    this.hasGroups = principals.filter(principal => principal.principalType === 'group')?.length;
   },
   data() {
     return {
       rows:           null,
+      hasGroups:      false,
       assignLocation:  {
-        // TODO: Q
         path:   `/c/local/${ NAME }/${ NORMAN.SPOOFED.GROUP_PRINCIPAL }/assign-edit`,
         query: { [MODE]: _EDIT }
       }
     };
   },
-  computed: {
-    hasRows() {
-      return this.rows?.length > 0;
-    }
-  },
   methods: {
     async refreshGroupMemberships(buttonDone) {
       try {
@@ -88,7 +87,7 @@ export default {
           @click="refreshGroupMemberships"
         />
         <n-link
-          v-if="hasRows"
+          v-if="hasGroups"
           :to="assignLocation"
           class="btn role-primary"
         >

From 0b43a2d1ae9f3b5de381ff2c5e362ec5ba9c755e Mon Sep 17 00:00:00 2001
From: Richard Cox <richard.cox@suse.com>
Date: Fri, 29 Jan 2021 09:35:15 +0000
Subject: [PATCH 03/13] Fixes & Changes following review 2 - promptRemove verb
 matches cluster explorer (delete), and text and buttons match - update global
 role binding metadata.generateName from ui- to grb- - update comment on
 applyProducts

---
 components/GlobalRoleBindings.vue | 2 +-
 components/PromptRemove.vue       | 2 +-
 list/group.principal.vue          | 5 ++---
 3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/components/GlobalRoleBindings.vue b/components/GlobalRoleBindings.vue
index abc38464ed..34623c1cc9 100644
--- a/components/GlobalRoleBindings.vue
+++ b/components/GlobalRoleBindings.vue
@@ -136,7 +136,7 @@ export default {
     async saveAddedRoles() {
       const newBindings = await Promise.all(this.roleChanges.addRoles.map(role => this.$store.dispatch(`management/create`, {
         type:               RBAC.GLOBAL_ROLE_BINDING,
-        metadata:           { generateName: `ui-` },
+        metadata:           { generateName: `grb-` },
         globalRoleName:     role,
         groupPrincipalName: this.principalId,
       })));
diff --git a/components/PromptRemove.vue b/components/PromptRemove.vue
index 91414d3278..30f890054b 100644
--- a/components/PromptRemove.vue
+++ b/components/PromptRemove.vue
@@ -269,7 +269,7 @@ export default {
         <button class="btn role-secondary" @click="close">
           Cancel
         </button>
-        <AsyncButton mode="remove" class="btn bg-error ml-10" :disabled="preventDelete" @click="remove" />
+        <AsyncButton mode="delete" class="btn bg-error ml-10" :disabled="preventDelete" @click="remove" />
       </template>
     </Card>
   </modal>
diff --git a/list/group.principal.vue b/list/group.principal.vue
index 3b7f13b03a..8354897eb2 100644
--- a/list/group.principal.vue
+++ b/list/group.principal.vue
@@ -49,9 +49,8 @@ export default {
           data:          { },
         });
 
-        // In SPA this is not needed. In SSR I think this runs client side... where this has not been called (not sure how not...)
-        // If this is not here... when cluster/findAll is dispatched... we fail to find the spoofed type's getInstance fn as it hasn't been
-        // registered yet
+        // This is needed in SSR, but not SPA. If this is not here... when cluster/findAll is dispatched... we fail to find the spoofed
+        // type's `getInstance` fn as it hasn't been registered (`instanceMethods` in type-map file is empty)
         await applyProducts(this.$store);
 
         this.rows = await this.$store.dispatch('cluster/findAll', {

From fc6d24aae667493c7f4d2ab79c5d9875961a0318 Mon Sep 17 00:00:00 2001
From: Richard Cox <richard.cox@suse.com>
Date: Thu, 4 Feb 2021 09:49:49 +0000
Subject: [PATCH 04/13] Gate fetching of group principals on user's ability to
 fetch global roles & bindings - This avoids ugly exceptions

---
 config/product/auth.js | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/config/product/auth.js b/config/product/auth.js
index bd30b644d8..aeb6c37c2f 100644
--- a/config/product/auth.js
+++ b/config/product/auth.js
@@ -49,10 +49,22 @@ export function init(store) {
       }
     ],
     getInstances: async() => {
+      const schemaCan = (schema, type, verb) => schema?.[type]?.indexOf(verb) >= 0;
+
+      // Determine if the user can get fetch global roles & global role bindings
+      const canFetchGlobalRoles = schemaCan(store.getters[`management/schemaFor`](RBAC.GLOBAL_ROLE), 'collectionMethods', 'GET' );
+      const canFetchGlobalRoleBindings = schemaCan(store.getters[`management/schemaFor`](RBAC.GLOBAL_ROLE_BINDING), 'collectionMethods', 'GET' );
+
+      if (!canFetchGlobalRoles || !canFetchGlobalRoleBindings) {
+        return [];
+      }
+
+      // Groups are a list of principals filtered via those that have group roles bound to them
       const principals = await store.dispatch('rancher/findAll', {
         type: NORMAN.PRINCIPAL,
         opt:  { url: '/v3/principals' }
       });
+
       const globalRoleBindings = await store.dispatch('management/findAll', {
         type: RBAC.GLOBAL_ROLE_BINDING,
         opt:  { force: true }

From 52114e81b4f7f6cb5653167d5aa85bc205ba2a2c Mon Sep 17 00:00:00 2001
From: Richard Cox <richard.cox@suse.com>
Date: Thu, 4 Feb 2021 11:23:34 +0000
Subject: [PATCH 05/13] Hide `Refresh Group Membership` if has not access to
 underlying action

---
 list/group.principal.vue | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/list/group.principal.vue b/list/group.principal.vue
index 8354897eb2..d555ddd232 100644
--- a/list/group.principal.vue
+++ b/list/group.principal.vue
@@ -29,11 +29,16 @@ export default {
     const principals = await this.$store.dispatch('rancher/findAll', { type: NORMAN.PRINCIPAL, opt: { url: '/v3/principals' } });
 
     this.hasGroups = principals.filter(principal => principal.principalType === 'group')?.length;
+
+    const userSchema = this.$store.getters[`rancher/schemaFor`](NORMAN.USER);
+
+    this.canRefresh = !!userSchema.collectionActions?.refreshauthprovideraccess;
   },
   data() {
     return {
       rows:           null,
       hasGroups:      false,
+      canRefresh:     false,
       assignLocation:  {
         path:   `/c/local/${ NAME }/${ NORMAN.SPOOFED.GROUP_PRINCIPAL }/assign-edit`,
         query: { [MODE]: _EDIT }
@@ -78,6 +83,7 @@ export default {
     >
       <template slot="extraActions">
         <AsyncButton
+          v-if="canRefresh"
           mode="refresh"
           :action-label="t('authGroups.actions.refresh')"
           :waiting-label="t('authGroups.actions.refresh')"

From 302170b5f985d83d35d72ca368d3256612d64287 Mon Sep 17 00:00:00 2001
From: Richard Cox <richard.cox@suse.com>
Date: Fri, 5 Feb 2021 09:46:30 +0000
Subject: [PATCH 06/13] Update refresh permissions - made the global role &
 binding schema checks clearer (will not be available, rather than available
 with specific collection method) - fixed the checkf for
 refreshauthprovideraccess (schema itself won't change, so copy from ember)

---
 config/product/auth.js   | 8 +++-----
 list/group.principal.vue | 5 ++---
 2 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/config/product/auth.js b/config/product/auth.js
index aeb6c37c2f..980f80a9aa 100644
--- a/config/product/auth.js
+++ b/config/product/auth.js
@@ -49,11 +49,9 @@ export function init(store) {
       }
     ],
     getInstances: async() => {
-      const schemaCan = (schema, type, verb) => schema?.[type]?.indexOf(verb) >= 0;
-
-      // Determine if the user can get fetch global roles & global role bindings
-      const canFetchGlobalRoles = schemaCan(store.getters[`management/schemaFor`](RBAC.GLOBAL_ROLE), 'collectionMethods', 'GET' );
-      const canFetchGlobalRoleBindings = schemaCan(store.getters[`management/schemaFor`](RBAC.GLOBAL_ROLE_BINDING), 'collectionMethods', 'GET' );
+      // Determine if the user can get fetch global roles & global role bindings. If not there's not much point in showing the table
+      const canFetchGlobalRoles = !!store.getters[`management/schemaFor`](RBAC.GLOBAL_ROLE);
+      const canFetchGlobalRoleBindings = !!store.getters[`management/schemaFor`](RBAC.GLOBAL_ROLE_BINDING);
 
       if (!canFetchGlobalRoles || !canFetchGlobalRoleBindings) {
         return [];
diff --git a/list/group.principal.vue b/list/group.principal.vue
index d555ddd232..167a0a6e02 100644
--- a/list/group.principal.vue
+++ b/list/group.principal.vue
@@ -30,9 +30,8 @@ export default {
 
     this.hasGroups = principals.filter(principal => principal.principalType === 'group')?.length;
 
-    const userSchema = this.$store.getters[`rancher/schemaFor`](NORMAN.USER);
-
-    this.canRefresh = !!userSchema.collectionActions?.refreshauthprovideraccess;
+    this.canRefresh = await this.$store.dispatch('rancher/request', { url: '/v3/users?limit=0' })
+      .then(res => !!res?.actions?.refreshauthprovideraccess);
   },
   data() {
     return {

From d9b6a095793596bd405eaaaa19e6b29ecca48f25 Mon Sep 17 00:00:00 2001
From: Nancy Butler <42977925+mantis-toboggan-md@users.noreply.github.com>
Date: Thu, 4 Feb 2021 08:23:20 -0700
Subject: [PATCH 07/13] fix endpoints table formatter

---
 assets/translations/en-us.yaml              |  1 +
 components/formatter/Endpoints.vue          | 69 ++++++++++++---------
 components/formatter/InternalExternalIP.vue |  9 +--
 components/formatter/ServiceTargets.vue     |  3 +-
 components/formatter/WorkloadEndpoints.vue  | 26 --------
 config/table-headers.js                     | 10 +--
 list/service.vue                            | 43 +++++++++++++
 list/workload.vue                           | 10 ++-
 models/workload.js                          | 14 ++---
 9 files changed, 113 insertions(+), 72 deletions(-)
 delete mode 100644 components/formatter/WorkloadEndpoints.vue
 create mode 100644 list/service.vue

diff --git a/assets/translations/en-us.yaml b/assets/translations/en-us.yaml
index 85e7571762..535aa01bfa 100644
--- a/assets/translations/en-us.yaml
+++ b/assets/translations/en-us.yaml
@@ -1796,6 +1796,7 @@ serviceTypes:
   nodeport: Node Port
 
 servicesPage:
+  anyNode: Any Node
   labelsAnnotations:
     label: Labels & Annotations
   affinity:
diff --git a/components/formatter/Endpoints.vue b/components/formatter/Endpoints.vue
index 89b0826406..f3ee18e024 100644
--- a/components/formatter/Endpoints.vue
+++ b/components/formatter/Endpoints.vue
@@ -1,4 +1,5 @@
 <script>
+import { NODE } from '@/config/types';
 
 export default {
   props: {
@@ -17,49 +18,54 @@ export default {
   },
 
   computed: {
+    nodes() {
+      return this.$store.getters['cluster/all'](NODE);
+    },
     // value may be JSON from "field.cattle.io/publicEndpoints" label
     parsed() {
+      const nodes = this.nodes;
+      const nodeWithExternal = nodes.find(node => !!node.externalIp) || {};
+      const externalIp = nodeWithExternal.externalIp;
+
       if ( this.value && this.value.length ) {
         let out ;
 
         try {
           out = JSON.parse(this.value);
+          out.forEach((endpoint) => {
+            let protocol = 'http';
+
+            if (endpoint.port === 443) {
+              protocol = 'https';
+            }
+
+            if (endpoint.addresses) {
+              endpoint.link = `${ protocol }://${ endpoint.addresses[0] }:${ endpoint.port }`;
+            } else if (externalIp) {
+              endpoint.link = `${ protocol }://${ externalIp }:${ endpoint.port }`;
+            } else {
+              endpoint.display = `[${ this.t('servicesPage.anyNode') }]:${ endpoint.port }`;
+            }
+          });
+
+          return out;
         } catch (err) {
           return this.value[0];
         }
-
-        return out;
       }
 
       return null;
     },
-    bestLink() {
-      if (this.parsed && this.parsed.length ) {
-        if (this.parsed[0].addresses) {
-          let protocol = 'http';
-
-          if (this.parsed[0].port === 443) {
-            protocol = 'https';
-          }
-
-          return `${ protocol }://${ this.parsed[0].addresses[0] }:${ this.parsed[0].port }`;
-        }
-
-        return this.parsed;
-      } else {
-        return null;
-      }
-    },
 
     protocol() {
-      const link = this.bestLink;
+      const { parsed } = this;
 
-      if ( link) {
+      if ( parsed) {
         if (this.parsed[0].protocol) {
           return this.parsed[0].protocol;
         }
 
-        const match = link.match(/^([^:]+):\/\//);
+        const match = parsed.match(/^([^:]+):\/\//);
 
         if ( match ) {
           return match[1];
@@ -76,11 +82,18 @@ export default {
 
 <template>
   <span>
-    <a v-if="bestLink" :href="bestLink" target="_blank" rel="nofollow noopener noreferrer">
-      <span v-if="parsed[0].port">{{ parsed[0].port }}/</span>{{ protocol }}
-    </a>
-    <span v-else class="text-muted">
-      &mdash;
-    </span>
+    <template v-for="endpoint in parsed">
+      <span v-if="endpoint.display" :key="endpoint.display" class="block">{{ endpoint.display }}</span>
+      <a
+        v-else
+        :key="endpoint.link"
+        class="block"
+        :href="endpoint.link"
+        target="_blank"
+        rel="nofollow noopener noreferrer"
+      >
+        <span v-if="endpoint.port">{{ endpoint.port }}/</span>{{ endpoint.protocol }}
+      </a>
+    </template>
   </span>
 </template>
diff --git a/components/formatter/InternalExternalIP.vue b/components/formatter/InternalExternalIP.vue
index 75e80287da..152cb5e887 100644
--- a/components/formatter/InternalExternalIP.vue
+++ b/components/formatter/InternalExternalIP.vue
@@ -1,7 +1,7 @@
 <script>
 import { isV4Format, isV6Format } from 'ip';
 import CopyToClipboard from '@/components/CopyToClipboard';
-
+import { mapGetters } from 'vuex';
 export default {
   components: { CopyToClipboard },
   props:      {
@@ -13,7 +13,8 @@ export default {
   computed: {
     showBoth() {
       return this.row.internalIp !== this.row.externalIp;
-    }
+    },
+    ...mapGetters({ t: 'i18n/t' })
   },
   methods: {
     isIp(ip) {
@@ -29,7 +30,7 @@ export default {
       {{ row.externalIp }} <CopyToClipboard label-as="tooltip" :text="row.externalIp" class="icon-btn" action-color="bg-transparent" />
     </template>
     <template v-else>
-      {{ t('internalExternalIp.none') }}
+      {{ t('internalExternalIP.none') }}
     </template>
 
     <template v-if="showBoth">
@@ -37,7 +38,7 @@ export default {
         / {{ row.internalIp }} <CopyToClipboard label-as="tooltip" :text="row.internalIp" class="icon-btn" action-color="bg-transparent" />
       </template>
       <template v-else>
-        {{ t('internalExternalIp.none') }}
+        {{ t('internalExternalIP.none') }}
       </template>
     </template>
   </span>
diff --git a/components/formatter/ServiceTargets.vue b/components/formatter/ServiceTargets.vue
index af5eafd0ad..b9d7e990f6 100644
--- a/components/formatter/ServiceTargets.vue
+++ b/components/formatter/ServiceTargets.vue
@@ -1,8 +1,8 @@
 <script>
 import isEmpty from 'lodash/isEmpty';
 import { CATTLE_PUBLIC_ENDPOINTS } from '@/config/labels-annotations';
-import has from 'lodash/has';
 import Endpoints from '@/components/formatter/Endpoints';
+import has from 'lodash/has';
 
 export default {
   components: { Endpoints },
@@ -31,6 +31,7 @@ export default {
 
       return false;
     },
+
     parsed() {
       const { row, hasPublic } = this;
       const {
diff --git a/components/formatter/WorkloadEndpoints.vue b/components/formatter/WorkloadEndpoints.vue
deleted file mode 100644
index 75c244a3cd..0000000000
--- a/components/formatter/WorkloadEndpoints.vue
+++ /dev/null
@@ -1,26 +0,0 @@
-<script>
-export default {
-  props: {
-    value: {
-      type:     String,
-      required: true
-    }
-  },
-
-  data() {
-    const endpoints = this.value.split(',');
-
-    return { endpoints };
-  }
-};
-</script>
-
-<template>
-  <span>
-    <template v-for="endpoint in endpoints">
-      <span v-if="endpoint==='<none>'" :key="endpoint">{{ endpoint }}</span>
-      <a v-else :key="endpoint" rel="nofollow noopener noreferrer" target="_blank" :href="`//${endpoint}`">{{ endpoint }}</a>
-      <br :key="endpoint+'br'" />
-    </template>
-  </span>
-</template>
diff --git a/config/table-headers.js b/config/table-headers.js
index e51c9f8b10..7c58abef0c 100644
--- a/config/table-headers.js
+++ b/config/table-headers.js
@@ -1,3 +1,4 @@
+import { CATTLE_PUBLIC_ENDPOINTS } from '@/config/labels-annotations';
 import { NODE as NODE_TYPE } from '@/config/types';
 
 // Note: 'id' is always the last sort, so you don't have to specify it here.
@@ -598,10 +599,11 @@ export const WORKSPACE = {
 export const WORKLOAD_IMAGES = { ...POD_IMAGES, value: '' };
 
 export const WORKLOAD_ENDPOINTS = {
-  name:      'workloadEndpoints',
-  labelKey:  'tableHeaders.endpoints',
-  value:     'endpoints',
-  formatter: 'WorkloadEndpoints'
+  name:        'workloadEndpoints',
+  labelKey:    'tableHeaders.endpoints',
+  value:       `$['metadata']['annotations']['${ CATTLE_PUBLIC_ENDPOINTS }']`,
+  formatter:   'Endpoints',
+  dashIfEmpty: true,
 };
 
 export const FLEET_SUMMARY = {
diff --git a/list/service.vue b/list/service.vue
new file mode 100644
index 0000000000..abd85952a5
--- /dev/null
+++ b/list/service.vue
@@ -0,0 +1,43 @@
+<script>
+import ResourceTable from '@/components/ResourceTable';
+import Loading from '@/components/Loading';
+import { NODE } from '@/config/types';
+import { allHash } from '@/utils/promise';
+
+export default {
+  name:       'ListService',
+  components: { Loading, ResourceTable },
+  // fetch nodes before loading this page, as they may be referenced in the Target table column
+  async fetch() {
+    const store = this.$store;
+    const inStore = store.getters['currentProduct'].inStore;
+    let hasNodes = false;
+
+    try {
+      const schema = store.getters[`${ inStore }/schemaFor`](NODE);
+
+      if (schema) {
+        hasNodes = true;
+      }
+    } catch {}
+
+    const hash = { rows: store.dispatch(`${ inStore }/findAll`, { type: this.$attrs.resource }) };
+
+    if (hasNodes) {
+      hash.nodes = store.dispatch(`${ inStore }/findAll`, { type: NODE });
+    }
+    const res = await allHash(hash);
+
+    this.rows = res.rows;
+  },
+
+  data() {
+    return { rows: [] };
+  }
+};
+</script>
+
+<template>
+  <Loading v-if="$fetchState.pending" />
+  <ResourceTable v-else :schema="$attrs.schema" :rows="rows" :headers="$attrs.headers" :group-by="$attrs.groupBy" />
+</template>
diff --git a/list/workload.vue b/list/workload.vue
index baf1b1618b..4ecb194a79 100644
--- a/list/workload.vue
+++ b/list/workload.vue
@@ -1,6 +1,6 @@
 <script>
 import ResourceTable from '@/components/ResourceTable';
-import { WORKLOAD_TYPES, SCHEMA, ENDPOINTS } from '@/config/types';
+import { WORKLOAD_TYPES, SCHEMA, NODE } from '@/config/types';
 import Loading from '@/components/Loading';
 
 const schema = {
@@ -18,7 +18,13 @@ export default {
   components: { Loading, ResourceTable },
 
   async fetch() {
-    this.$store.dispatch('cluster/findAll', { type: ENDPOINTS });
+    try {
+      const schema = this.$store.getters[`cluster/schemaFor`](NODE);
+
+      if (schema) {
+        this.$store.dispatch('cluster/findAll', { type: NODE });
+      }
+    } catch {}
 
     let resources;
 
diff --git a/models/workload.js b/models/workload.js
index ec3ddbed43..998f2cb9ca 100644
--- a/models/workload.js
+++ b/models/workload.js
@@ -1,7 +1,7 @@
 import { insertAt } from '@/utils/array';
 import { TARGET_WORKLOADS, TIMESTAMP, UI_MANAGED } from '@/config/labels-annotations';
 import { WORKLOAD_TYPES, POD, ENDPOINTS, SERVICE } from '@/config/types';
-import { get, set } from '@/utils/object';
+import { clone, get, set } from '@/utils/object';
 import day from 'dayjs';
 import { _CREATE } from '@/config/query-params';
 
@@ -296,8 +296,6 @@ export default {
     }
   },
 
-  // 30422
-
   // create clusterip, nodeport, loadbalancer services from container port spec
   servicesFromContainerPorts() {
     return async(mode) => {
@@ -391,10 +389,12 @@ export default {
           case 'NodePort':
             nodePort.spec.ports.push(portSpec);
             break;
-          case 'LoadBalancer':
-            portSpec.port = port._lbPort;
-            loadBalancer.spec.ports.push(portSpec);
-            break;
+          case 'LoadBalancer': {
+            const lbPort = clone(portSpec);
+
+            lbPort.port = port._lbPort;
+            loadBalancer.spec.ports.push(lbPort);
+            break; }
           default:
             break;
           }

From ff73a6471467dcb2ea63e8821b44873bb0bf1270 Mon Sep 17 00:00:00 2001
From: Nancy Butler <42977925+mantis-toboggan-md@users.noreply.github.com>
Date: Thu, 4 Feb 2021 12:56:18 -0700
Subject: [PATCH 08/13] remove unused workload endpoints

---
 models/workload.js | 12 +-----------
 1 file changed, 1 insertion(+), 11 deletions(-)

diff --git a/models/workload.js b/models/workload.js
index 998f2cb9ca..282cf47708 100644
--- a/models/workload.js
+++ b/models/workload.js
@@ -1,6 +1,6 @@
 import { insertAt } from '@/utils/array';
 import { TARGET_WORKLOADS, TIMESTAMP, UI_MANAGED } from '@/config/labels-annotations';
-import { WORKLOAD_TYPES, POD, ENDPOINTS, SERVICE } from '@/config/types';
+import { WORKLOAD_TYPES, POD, SERVICE } from '@/config/types';
 import { clone, get, set } from '@/utils/object';
 import day from 'dayjs';
 import { _CREATE } from '@/config/query-params';
@@ -286,16 +286,6 @@ export default {
     };
   },
 
-  endpoints() {
-    const endpoints = this.$rootGetters['cluster/byId'](ENDPOINTS, this.id);
-
-    if (endpoints) {
-      const out = endpoints.metadata.fields[1];
-
-      return out;
-    }
-  },
-
   // create clusterip, nodeport, loadbalancer services from container port spec
   servicesFromContainerPorts() {
     return async(mode) => {

From bd55c4a43460aa4dc686f94ab4430980099b8560 Mon Sep 17 00:00:00 2001
From: Nancy Butler <42977925+mantis-toboggan-md@users.noreply.github.com>
Date: Fri, 5 Feb 2021 07:20:46 -0700
Subject: [PATCH 09/13] fix edit secret type display

---
 edit/secret.vue | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/edit/secret.vue b/edit/secret.vue
index aa1563fce1..41d1a9b226 100644
--- a/edit/secret.vue
+++ b/edit/secret.vue
@@ -1,5 +1,5 @@
 <script>
-import { TYPES, DISPLAY_TYPES } from '@/models/secret';
+import { TYPES } from '@/models/secret';
 import { base64Encode, base64Decode } from '@/utils/crypto';
 import { NAMESPACE } from '@/config/types';
 import CreateEditView from '@/mixins/create-edit-view';
@@ -112,9 +112,11 @@ export default {
       const out = [];
 
       this.types.forEach((type) => {
+        const displayType = this.typeDisplay(type);
+
         const subtype = {
           id:          type,
-          label:       DISPLAY_TYPES[type] || '',
+          label:       displayType,
           bannerAbbrv: this.initialDisplayFor(type)
         };
 
@@ -245,12 +247,18 @@ export default {
 
     selectType(type) {
       this.$set(this.value, '_type', type);
-      this.$emit('set-subtype', DISPLAY_TYPES[type]);
+      this.$emit('set-subtype', this.typeDisplay(type));
+    },
+
+    typeDisplay(type) {
+      const fallback = type.replace(/^kubernetes.io\//, '');
+
+      return this.$store.getters['i18n/withFallback'](`secret.types."${ type }"`, null, fallback);
     },
 
     // TODO icons for secret types?
     initialDisplayFor(type) {
-      const typeDisplay = DISPLAY_TYPES[type];
+      const typeDisplay = this.typeDisplay(type);
 
       return typeDisplay.split('').filter(letter => letter.match(/[A-Z]/)).join('');
     },

From bf0bee500f36149daf46f3ce4dfa0ca4d13e765d Mon Sep 17 00:00:00 2001
From: Nancy Butler <42977925+mantis-toboggan-md@users.noreply.github.com>
Date: Fri, 5 Feb 2021 11:42:41 -0700
Subject: [PATCH 10/13] only show remediation for fail/warn cis scan results

---
 detail/cis.cattle.io.clusterscan.vue | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detail/cis.cattle.io.clusterscan.vue b/detail/cis.cattle.io.clusterscan.vue
index 73af2b2254..baf6664334 100644
--- a/detail/cis.cattle.io.clusterscan.vue
+++ b/detail/cis.cattle.io.clusterscan.vue
@@ -293,7 +293,7 @@ export default {
         <template #sub-row="{row, fullColspan}">
           <tr>
             <td :colspan="fullColspan">
-              <Banner v-if="row.remediation" class="sub-banner" :label="remediationDisplay(row)" color="warning" />
+              <Banner v-if="(row.state==='fail' || row.state==='warn')&& row.remediation" class="sub-banner" :label="remediationDisplay(row)" color="warning" />
               <SortableTable
                 class="sub-table"
                 :rows="row.nodeRows"

From e4fd49f0548d55818dbc84db07e3c1b14d67fd80 Mon Sep 17 00:00:00 2001
From: Richard Cox <ricox@suse.com>
Date: Mon, 8 Feb 2021 16:32:22 +0000
Subject: [PATCH 11/13] Prompt Remove: Only enable Delete button when delete is
 valid

- Previously button was enabled when confirm value was invalid and warned on submit
- We now only enable the button when all resources can be deleted and the confirm value is valid
- Also fix translation for missing Internal/External IP value in Node table
---
 components/PromptRemove.vue                 | 39 +++++++++++----------
 components/formatter/InternalExternalIP.vue |  4 +--
 2 files changed, 22 insertions(+), 21 deletions(-)

diff --git a/components/PromptRemove.vue b/components/PromptRemove.vue
index 30f890054b..abee7cd264 100644
--- a/components/PromptRemove.vue
+++ b/components/PromptRemove.vue
@@ -106,6 +106,12 @@ export default {
       return this.t('promptRemove.protip', { alternateLabel });
     },
 
+    deleteDisabled() {
+      const confirmFailed = this.needsConfirm && this.confirmName !== this.names[0];
+
+      return this.preventDelete || confirmFailed;
+    },
+
     ...mapState('action-menu', ['showPromptRemove', 'toRemove']),
     ...mapGetters({ t: 'i18n/t' })
   },
@@ -155,25 +161,20 @@ export default {
     },
 
     remove(btnCB) {
-      if (this.needsConfirm && this.confirmName !== this.names[0]) {
-        this.error = 'Resource names do not match';
-        btnCB(false);
-        // if doneLocation is defined, redirect after deleting
+      // if doneLocation is defined, redirect after deleting
+      let goTo;
+
+      if (this.doneLocation) {
+        // doneLocation will recompute to undefined when delete request completes
+        goTo = { ...this.doneLocation };
+      }
+
+      const serialRemove = this.toRemove.some(resource => resource.removeSerially);
+
+      if (serialRemove) {
+        this.serialRemove(goTo, btnCB);
       } else {
-        let goTo;
-
-        if (this.doneLocation) {
-          // doneLocation will recompute to undefined when delete request completes
-          goTo = { ...this.doneLocation };
-        }
-
-        const serialRemove = this.toRemove.some(resource => resource.removeSerially);
-
-        if (serialRemove) {
-          this.serialRemove(goTo, btnCB);
-        } else {
-          this.parallelRemove(goTo, btnCB);
-        }
+        this.parallelRemove(goTo, btnCB);
       }
     },
 
@@ -269,7 +270,7 @@ export default {
         <button class="btn role-secondary" @click="close">
           Cancel
         </button>
-        <AsyncButton mode="delete" class="btn bg-error ml-10" :disabled="preventDelete" @click="remove" />
+        <AsyncButton mode="delete" class="btn bg-error ml-10" :disabled="deleteDisabled" @click="remove" />
       </template>
     </Card>
   </modal>
diff --git a/components/formatter/InternalExternalIP.vue b/components/formatter/InternalExternalIP.vue
index 75e80287da..15cc711019 100644
--- a/components/formatter/InternalExternalIP.vue
+++ b/components/formatter/InternalExternalIP.vue
@@ -29,7 +29,7 @@ export default {
       {{ row.externalIp }} <CopyToClipboard label-as="tooltip" :text="row.externalIp" class="icon-btn" action-color="bg-transparent" />
     </template>
     <template v-else>
-      {{ t('internalExternalIp.none') }}
+      {{ t('generic.none') }}
     </template>
 
     <template v-if="showBoth">
@@ -37,7 +37,7 @@ export default {
         / {{ row.internalIp }} <CopyToClipboard label-as="tooltip" :text="row.internalIp" class="icon-btn" action-color="bg-transparent" />
       </template>
       <template v-else>
-        {{ t('internalExternalIp.none') }}
+        {{ t('generic.none') }}
       </template>
     </template>
   </span>

From f51396e8a6604ac5730cf7ffd726d178de52cd6b Mon Sep 17 00:00:00 2001
From: Neil MacDougall <neil.macdougall@suse.com>
Date: Tue, 9 Feb 2021 11:13:00 +0000
Subject: [PATCH 12/13] Change the port number when the user changes the TLS
 setting

---
 edit/auth/ldap/config.vue | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/edit/auth/ldap/config.vue b/edit/auth/ldap/config.vue
index c0bbbd12e5..3dcddcbf64 100644
--- a/edit/auth/ldap/config.vue
+++ b/edit/auth/ldap/config.vue
@@ -6,6 +6,9 @@ import UnitInput from '@/components/form/UnitInput';
 import Banner from '@/components/Banner';
 import FileSelector from '@/components/form/FileSelector';
 
+const DEFAULT_NON_TLS_PORT = 389;
+const DEFAULT_TLS_PORT = 636;
+
 export default {
   components: {
     RadioGroup,
@@ -59,6 +62,17 @@ export default {
       if (neu) {
         this.model.starttls = false;
       }
+
+      const expectedCurrentDefault = neu ? DEFAULT_NON_TLS_PORT : DEFAULT_TLS_PORT;
+      const newDefault = neu ? DEFAULT_TLS_PORT : DEFAULT_NON_TLS_PORT;
+
+      // Note: The defualt port value is a number
+      // If the user edits this value, the type will be a string
+      // Thus, we will only change the value when the user toggles the TLS flag if they have
+      // NOT edited the port value in any way
+      if (this.model.port === expectedCurrentDefault) {
+        this.value.port = newDefault;
+      }
     }
   }
 

From 7a986578b218b48d554074754827e73030322269 Mon Sep 17 00:00:00 2001
From: Nancy Butler <42977925+mantis-toboggan-md@users.noreply.github.com>
Date: Thu, 4 Feb 2021 08:51:01 -0700
Subject: [PATCH 13/13] do not logout/redirect on auth failure with 401

auth cleanup, edit config btn

hide entityid for okta
---
 edit/auth/github.vue                   | 5 ++++-
 edit/auth/googleoauth.vue              | 5 ++++-
 edit/auth/ldap/index.vue               | 5 ++++-
 edit/auth/saml.vue                     | 8 +++++---
 mixins/auth-config.js                  | 7 ++++++-
 pages/auth/login.vue                   | 3 ++-
 pages/auth/verify.vue                  | 4 ++--
 pages/c/_cluster/auth/config/_id.vue   | 2 +-
 pages/c/_cluster/auth/config/index.vue | 3 ++-
 9 files changed, 30 insertions(+), 12 deletions(-)

diff --git a/edit/auth/github.vue b/edit/auth/github.vue
index 9afbfea9d1..43a4595a9f 100644
--- a/edit/auth/github.vue
+++ b/edit/auth/github.vue
@@ -155,12 +155,15 @@ export default {
       @finish="save"
       @cancel="done"
     >
-      <template v-if="model.enabled && !isSaving">
+      <template v-if="model.enabled && !isEnabling && !editConfig">
         <Banner color="success clearfix">
           <div class="pull-left mt-10">
             {{ t('authConfig.stateBanner.enabled', tArgs) }}
           </div>
           <div class="pull-right">
+            <button type="button" class="btn-sm role-primary" @click="goToEdit">
+              {{ t('action.edit') }}
+            </button>
             <AsyncButton mode="disable" size="sm" action-color="bg-error" @click="disable" />
           </div>
         </Banner>
diff --git a/edit/auth/googleoauth.vue b/edit/auth/googleoauth.vue
index 09e6e363d1..e835f48ee2 100644
--- a/edit/auth/googleoauth.vue
+++ b/edit/auth/googleoauth.vue
@@ -84,12 +84,15 @@ export default {
       @finish="save"
       @cancel="done"
     >
-      <template v-if="model.enabled && !isEnabling">
+      <template v-if="model.enabled && !isEnabling && !editConfig">
         <Banner color="success clearfix">
           <div class="pull-left mt-10">
             {{ t('authConfig.stateBanner.enabled', tArgs) }}
           </div>
           <div class="pull-right">
+            <button type="button" class="btn-sm role-primary" @click="goToEdit">
+              {{ t('action.edit') }}
+            </button>
             <AsyncButton mode="disable" size="sm" action-color="bg-error" @click="disable" />
           </div>
         </Banner>
diff --git a/edit/auth/ldap/index.vue b/edit/auth/ldap/index.vue
index 968624a6b8..b6a08c7b41 100644
--- a/edit/auth/ldap/index.vue
+++ b/edit/auth/ldap/index.vue
@@ -86,12 +86,15 @@ export default {
       @finish="save"
       @cancel="done"
     >
-      <template v-if="model.enabled && !isEnabling">
+      <template v-if="model.enabled && !isEnabling && !editConfig">
         <Banner color="success clearfix">
           <div class="pull-left mt-10">
             {{ t('authConfig.stateBanner.enabled', tArgs) }}
           </div>
           <div class="pull-right">
+            <button type="button" class="btn-sm role-primary" @click="goToEdit">
+              {{ t('action.edit') }}
+            </button>
             <AsyncButton mode="disable" size="sm" action-color="bg-error" @click="disable" />
           </div>
         </Banner>
diff --git a/edit/auth/saml.vue b/edit/auth/saml.vue
index f893bf447a..a649561d92 100644
--- a/edit/auth/saml.vue
+++ b/edit/auth/saml.vue
@@ -76,12 +76,15 @@ export default {
       @finish="save"
       @cancel="done"
     >
-      <template v-if="model.enabled && !isEnabling">
+      <template v-if="model.enabled && !isEnabling && !editConfig">
         <Banner color="success clearfix">
           <div class="pull-left mt-10">
             {{ t('authConfig.stateBanner.enabled', tArgs) }}
           </div>
           <div class="pull-right">
+            <button type="button" class="btn-sm role-primary" @click="goToEdit">
+              {{ t('action.edit') }}
+            </button>
             <AsyncButton mode="disable" size="sm" action-color="bg-error" @click="disable" />
           </div>
         </Banner>
@@ -138,12 +141,11 @@ export default {
           </div>
         </div>
         <div class="row mb-20">
-          <div class="col span-6">
+          <div v-if="NAME !== 'okta'" class="col span-6">
             <LabeledInput
               v-model="model.entityID"
               :label="t(`authConfig.saml.entityID`)"
               :mode="mode"
-              required
             />
           </div>
           <div class="col span-6">
diff --git a/mixins/auth-config.js b/mixins/auth-config.js
index 824644f63e..4ddf6d1c27 100644
--- a/mixins/auth-config.js
+++ b/mixins/auth-config.js
@@ -25,6 +25,11 @@ export default {
       this.model.openLdapConfig = {};
       this.showLdap = false;
     }
+    if (this.value.configType === 'saml') {
+      if (!this.model.rancherApiHost || !this.model.rancherApiHost.length) {
+        this.$set(this.model, 'rancherApiHost', this.serverUrl);
+      }
+    }
   },
 
   data() {
@@ -108,7 +113,7 @@ export default {
             if (!this.model.accessMode) {
               this.model.accessMode = 'unrestricted';
             }
-            await this.model.doAction('testAndApply', obj);
+            await this.model.doAction('testAndApply', obj, { redirectUnauthorized: false });
           }
           // Reload principals to get the new ones from the provider
           this.principals = await this.$store.dispatch('rancher/findAll', {
diff --git a/pages/auth/login.vue b/pages/auth/login.vue
index f89a444e2c..9c48d0b7a5 100644
--- a/pages/auth/login.vue
+++ b/pages/auth/login.vue
@@ -127,12 +127,13 @@ export default {
           }
         });
         if ( this.remember ) {
-          this.$cookies.set(USERNAME, this.username, {
+          this.$cookies.set(USERNAME, this.username,{
             encode: x => x,
             maxAge: 86400 * 365,
             secure: true,
             path:   '/',
           });
+          
         } else {
           this.$cookies.remove(USERNAME);
         }
diff --git a/pages/auth/verify.vue b/pages/auth/verify.vue
index e304617cff..3119c45a1c 100644
--- a/pages/auth/verify.vue
+++ b/pages/auth/verify.vue
@@ -60,9 +60,9 @@ export default {
         window.close();
       }
     } else {
-      const { params, query } = this.$route;
+      const { query } = this.$route;
 
-      if ( window.opener && !get(params, 'login') && !get(params, 'errorCode') ) {
+      if ( window.opener ) {
         const configQuery = get(query, 'config');
 
         if ( samlProviders.includes(configQuery) ) {
diff --git a/pages/c/_cluster/auth/config/_id.vue b/pages/c/_cluster/auth/config/_id.vue
index 3866d45770..dd3d2e56a5 100644
--- a/pages/c/_cluster/auth/config/_id.vue
+++ b/pages/c/_cluster/auth/config/_id.vue
@@ -10,7 +10,7 @@ export default {
     AUTH_CONFIG() {
       return MANAGEMENT.AUTH_CONFIG;
     }
-  }
+  },
 };
 </script>
 
diff --git a/pages/c/_cluster/auth/config/index.vue b/pages/c/_cluster/auth/config/index.vue
index 7411d44798..5c04fc7c42 100644
--- a/pages/c/_cluster/auth/config/index.vue
+++ b/pages/c/_cluster/auth/config/index.vue
@@ -15,7 +15,8 @@ export default {
     if ( enabled.length === 1 ) {
       redirect({
         name:   'c-cluster-auth-config-id',
-        params: { id: enabled[0].id }
+        params: { id: enabled[0].id },
+        query:  { mode: _EDIT }
       });
 
       return { nonLocal };