Setup
- Rancher version: v2.13.3
- Rancher UI Extensions: N/A
- Browser type & version: Chrome (latest)
Describe the bug
The Project Membership tab under Cluster and Project Members displays far fewer role bindings than actually exist. The problem scales with the size of the Rancher installation — the more clusters, projects, and role assignments there are, the worse the display becomes. In large installations the tab can appear almost completely empty even when hundreds of assignments exist.
Additionally, projects that have no role bindings assigned yet do not appear at all in the table (they should appear as group headers with a "No roles assigned" message).
To Reproduce
- Manage 10+ clusters in Rancher, each with 10+ projects and 3+ role bindings per project per member
- Navigate to any cluster → Cluster and Project Members → Project Membership tab
- Observe that far fewer role bindings are shown than exist
- Observe that projects with no role assignments are completely absent from the table
The issue is worst when the total count of ProjectRoleTemplateBinding objects across all clusters exceeds ~5,000.
Result
Only a small fraction of role bindings are visible. Projects without any role bindings do not appear in the table at all.
Expected Result
The Project Membership tab shows all role bindings that exist for the current cluster's projects. Projects with no role bindings appear as group headers with a "No roles assigned" row.
Screenshots
N/A
Additional context
Three co-dependent root causes in shell/components/ExplorerMembers.vue and shell/config/product/explorer.js:
1. Unscoped global fetch — the component fetches all Norman projectRoleTemplateBinding (PRTB) resources across every cluster with no filter, then filters client-side. With 65 clusters the API returns only the first ~200 of 5,000+ global PRTBs — of which perhaps 10–20 belong to the current cluster.
2. Conditional depagination suppressed at scale — explorer.js uses configureConditionalDepaginate with maxResourceCount: 5000 for Norman PRTBs. This returns false (don't follow pages) when the global count is ≥ 5,000, which is exactly when scoping is needed most. The two problems combine: pagination is suppressed at the exact scale where scoping matters most.
3. Projects without role bindings silently dropped — rowsWithFakeProjects spreads placeholder rows for empty projects into the reduce accumulator, but they are immediately dropped by an early-return guard (if (!userOrGroup) return rows) because placeholder rows have no userId/groupPrincipalId. They never reach Object.values(userRoles).
Fix tracked in #17814.
Setup
Describe the bug
The Project Membership tab under Cluster and Project Members displays far fewer role bindings than actually exist. The problem scales with the size of the Rancher installation — the more clusters, projects, and role assignments there are, the worse the display becomes. In large installations the tab can appear almost completely empty even when hundreds of assignments exist.
Additionally, projects that have no role bindings assigned yet do not appear at all in the table (they should appear as group headers with a "No roles assigned" message).
To Reproduce
The issue is worst when the total count of
ProjectRoleTemplateBindingobjects across all clusters exceeds ~5,000.Result
Only a small fraction of role bindings are visible. Projects without any role bindings do not appear in the table at all.
Expected Result
The Project Membership tab shows all role bindings that exist for the current cluster's projects. Projects with no role bindings appear as group headers with a "No roles assigned" row.
Screenshots
N/A
Additional context
Three co-dependent root causes in
shell/components/ExplorerMembers.vueandshell/config/product/explorer.js:1. Unscoped global fetch — the component fetches all Norman
projectRoleTemplateBinding(PRTB) resources across every cluster with no filter, then filters client-side. With 65 clusters the API returns only the first ~200 of 5,000+ global PRTBs — of which perhaps 10–20 belong to the current cluster.2. Conditional depagination suppressed at scale —
explorer.jsusesconfigureConditionalDepaginatewithmaxResourceCount: 5000for Norman PRTBs. This returnsfalse(don't follow pages) when the global count is ≥ 5,000, which is exactly when scoping is needed most. The two problems combine: pagination is suppressed at the exact scale where scoping matters most.3. Projects without role bindings silently dropped —
rowsWithFakeProjectsspreads placeholder rows for empty projects into thereduceaccumulator, but they are immediately dropped by an early-return guard (if (!userOrGroup) return rows) because placeholder rows have nouserId/groupPrincipalId. They never reachObject.values(userRoles).Fix tracked in #17814.