Bug 1321766

Summary:	Docker/custom build is not forbidden in Online env
Product:	OpenShift Online	Reporter:	Wenjing Zheng <wzheng>
Component:	Website	Assignee:	Dan Mace <dmace>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Yanping Zhang <yanpzhan>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	3.x	CC:	akostadi, aos-bugs, dmace, jokerman, mmccomas, wzheng
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-05-23 15:09:58 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Wenjing Zheng 2016-03-29 06:14:33 UTC

Description of problem:
Still can docker build or custom build in Online env.

Version-Release number of selected component (if applicable):
3.2 Online
openshift v3.2.0.6
kubernetes v1.2.0-36-g4a3f9c5
etcd 2.2.

How reproducible:
always

Steps to Reproduce:
1. Do docker/custom build after log into Online env
2.
3.

Actual results:
Docker/custom build is successful.

Expected results:
Cannot docker/custom build in Online env

Additional info:

Comment 1 Abhishek Gupta 2016-03-30 02:34:21 UTC

This should not have been a problem assuming the two issues below have been configured correctly. I'll verify the configuration on INT tomorrow.

https://github.com/openshift/online/issues/65
https://github.com/openshift/online/issues/63

Comment 2 Abhishek Gupta 2016-04-01 23:34:58 UTC

Dan: Can you please take a look?

Comment 3 Dan Mace 2016-04-04 14:43:25 UTC

I believe the issue is project owners are getting bound to the /admin role rather than /openshift-online:admin: https://github.com/openshift/online/blob/master/config/project-request.json#L116-L136

Will verify a fix and open a PR.

Comment 4 Dan Mace 2016-04-04 15:59:53 UTC

Fixed by https://github.com/openshift/online/pull/88.

Comment 5 Wenjing Zheng 2016-04-05 09:25:36 UTC

QE Will verify when the pr is merged into Online env.

Comment 6 Dan Mace 2016-04-05 12:20:24 UTC

The fix is merged and deployed to INT, feel free to test.

Comment 7 Wenjing Zheng 2016-04-06 10:01:34 UTC

Have checked on dev-preview-int, still haven't see the fix.

Comment 8 Dan Mace 2016-04-06 13:53:01 UTC

(In reply to Wenjing Zheng from comment #7)
> Have checked on dev-preview-int, still haven't see the fix.

Can you please give more detail about which user is affected? I forgot to mention when I fixed the bug that existing accounts will still have the incorrect roles and only NEW users will have the corrected roles.

Please make sure to test with a new user, and if the problem persists, let me know which username has the escalated privileges.

Thanks!

Comment 9 Wenjing Zheng 2016-04-07 06:11:46 UTC

Yes, if using new created account, docker/custom build is forbidden. But how to make the existing accounts to have correct roles?

Comment 10 Dan Mace 2016-04-07 14:06:40 UTC

(In reply to Wenjing Zheng from comment #9)
> Yes, if using new created account, docker/custom build is forbidden. But how
> to make the existing accounts to have correct roles?

We're not going to update the existing accounts- they'll need deleted and recreated.

Comment 11 Wenjing Zheng 2016-04-08 02:43:40 UTC

Thanks, Dan!
Per comment #9, verify this bug now.

Comment 12 Aleksandar Kostadinov 2016-04-27 11:00:26 UTC

why didn't we change the default role permissions instead of creating a new role?