Bug 1277819
| Summary: | The build strategy allows only certain user in a specific project to create build does not work | ||
|---|---|---|---|
| Product: | OKD | Reporter: | zhou ying <yinzhou> |
| Component: | Security | Assignee: | David Eads <deads> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Xiaoli Tian <xtian> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 3.x | CC: | dmcphers, jialiu, lmeyer, mmccomas, wewang, yinzhou |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-11-23 21:13:10 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I cannot reproduce this in my initial attempt. Will try on the latest ami. I cannot reproduce this on the latest AWS ami either. Can you please include the output of: oc policy who-can create builds/docker -n [project] before you assign the role to the user and afterwards. Also show it for a project where you did assign the role and one where you didn't. Please include the output of the commands for every namespace in your cluster (before and after adding the role to the user): oc get clusterroles -o yaml oc get clusterrolebindings -o yaml oc get roles -o yaml oc get rolebindings -o yaml In the latest ami , I also cannot reproduce this too, will close this bug.
Before add role to user:
[root@ip-172-18-3-247 amd64]# oc policy who-can create builds/docker -n zhouy
Namespace: zhouy
Verb: create
Resource: builds/docker
Users: none
Groups: system:cluster-admins
system:masters
[root@ip-172-18-3-247 amd64]# oc policy who-can create builds/docker -n zhouyt
Namespace: zhouyt
Verb: create
Resource: builds/docker
Users: none
Groups: system:cluster-admins
system:masters
After add the role:
[root@ip-172-18-3-247 amd64]# oc policy who-can create builds/docker -n zhouyt
Namespace: zhouyt
Verb: create
Resource: builds/docker
Users: devuser
zhouy
Groups: system:cluster-admins
system:masters
[root@ip-172-18-3-247 amd64]# oc policy who-can create builds/docker -n zhouy
Namespace: zhouy
Verb: create
Resource: builds/docker
Users: none
Groups: system:cluster-admins
system:masters
The command `oadm policy add-cluster-role-to-user dockerbuilder devuser -n devproject` grants devuser the power of the dockerbuilder role in the entire cluster, not just the devproject namespace. If you want to grant him the power only in devproject, try `oadm policy add-role-to-user dockerbuilder devuser -n devproject` Looks like your initial steps used the proper command: `oadm policy add-role-to-user dockerbuilder devuser -n devproject` I'm returning back so you can confirm the correctness of behavior before closing |
Description of problem: Create a particular docker build strategy that only allow certain user in a specific project to create build , but the user can create build on all projects with admin role. Version-Release number of selected component (if applicable): openshift v1.0.7-109-g3cf7f3c kubernetes v1.2.0-alpha.1-1107-g4c8e6f4 etcd 2.1.2 How reproducible: always Steps to Reproduce: 1. Remove the docker build strategy resource from the default admin and edit roles; `oc edit clusterrole admin` `oc edit clusterrole edit` 2. Create a seperate role for that build strategy: cat dockerstrategy.yaml kind: ClusterRole apiVersion: v1 metadata: name: dockerbuilder rules: - resources: - builds/docker verbs: - create $ oc create -f dockerstrategy.yaml 3. Assign the cluster role to an individual user in a project oadm policy add-role-to-user dockerbuilder devuser -n devproject 4. Check the user role. Actual results: The user can do docker build on all projects with admin role . Expected results: The user should do docker build only in the specific project. Additional info: Before add the dockerbuilder role to devuser, the devuser can't do docker build in any project.