Bug 1277819
Summary: | The build strategy allows only certain user in a specific project to create build does not work | ||
---|---|---|---|
Product: | OKD | Reporter: | zhou ying <yinzhou> |
Component: | Security | Assignee: | David Eads <deads> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Xiaoli Tian <xtian> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3.x | CC: | dmcphers, jialiu, lmeyer, mmccomas, wewang, yinzhou |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-11-23 21:13:10 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
zhou ying
2015-11-04 06:55:29 UTC
I cannot reproduce this in my initial attempt. Will try on the latest ami. I cannot reproduce this on the latest AWS ami either. Can you please include the output of: oc policy who-can create builds/docker -n [project] before you assign the role to the user and afterwards. Also show it for a project where you did assign the role and one where you didn't. Please include the output of the commands for every namespace in your cluster (before and after adding the role to the user): oc get clusterroles -o yaml oc get clusterrolebindings -o yaml oc get roles -o yaml oc get rolebindings -o yaml In the latest ami , I also cannot reproduce this too, will close this bug. Before add role to user: [root@ip-172-18-3-247 amd64]# oc policy who-can create builds/docker -n zhouy Namespace: zhouy Verb: create Resource: builds/docker Users: none Groups: system:cluster-admins system:masters [root@ip-172-18-3-247 amd64]# oc policy who-can create builds/docker -n zhouyt Namespace: zhouyt Verb: create Resource: builds/docker Users: none Groups: system:cluster-admins system:masters After add the role: [root@ip-172-18-3-247 amd64]# oc policy who-can create builds/docker -n zhouyt Namespace: zhouyt Verb: create Resource: builds/docker Users: devuser zhouy Groups: system:cluster-admins system:masters [root@ip-172-18-3-247 amd64]# oc policy who-can create builds/docker -n zhouy Namespace: zhouy Verb: create Resource: builds/docker Users: none Groups: system:cluster-admins system:masters The command `oadm policy add-cluster-role-to-user dockerbuilder devuser -n devproject` grants devuser the power of the dockerbuilder role in the entire cluster, not just the devproject namespace. If you want to grant him the power only in devproject, try `oadm policy add-role-to-user dockerbuilder devuser -n devproject` Looks like your initial steps used the proper command: `oadm policy add-role-to-user dockerbuilder devuser -n devproject` I'm returning back so you can confirm the correctness of behavior before closing |