|Summary:||Build strategy Docker and custom should not be allowed in dev-preview-stg|
|Component:||Build||Assignee:||Dan Mace <dmace>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:||Wenjing Zheng <wzheng>|
|Version:||3.x||CC:||aos-bugs, dakini, deads, dmace, xtian|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2016-06-23 17:32:44 UTC||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:|
Description mdong 2016-05-16 08:44:39 UTC
Description of problem: When generate a build using build strategy with Docker, it should be failed due to build strategy Docker is not allowed. Version-Release number of selected component (if applicable): dev-preview-stg openshift v126.96.36.199 kubernetes v1.2.0-36-g4a3f9c5 etcd 2.2.5 How reproducible: Steps to Reproduce: 1. Create a project named: test 2. Run the command to generated build: oc new-build centos/ruby-22-centos7~https://github.com/openshift/ruby-hello-world.git --name=docker-bc --strategy=docker 3. Actual results: Build completed. Expected results: error: buildconfigs "docker-bc" is forbidden: build strategy Docker is not allowed Additional info: Custom build can be created successfully in dev-preview-stg, but it should not be allowed. The same behavior is for new user and existed user.
Comment 1 Ben Parees 2016-05-16 14:16:56 UTC
I assume this is an auth/role configuration issue in dev-preview-stg.
Comment 2 Abhishek Gupta 2016-05-16 23:53:06 UTC
The custom roles that we have in Online seem to be configured correctly. Also, the project template seems to correctly link to the customer project admin role (openshift-online:admin). However, I believe the issue is that the "system:authenticated" group seems to have access to do a docker build. I am not sure if this is a recent change. If this is indeed the issue (need to run it past David/Jordan), then we just need to remove build access for docker and custom strategies from the system:authenticated group. ---------------- This is from Dev Preview STG. $ oc policy who-can create builds/docker Users: system:serviceaccount:openshift-infra:build-controller Groups: system:authenticated system:cluster-admins system:masters $ oc policy who-can create builds/custom Users: system:serviceaccount:openshift-infra:build-controller Groups: system:authenticated system:cluster-admins system:masters
Comment 3 Abhishek Gupta 2016-05-17 00:01:22 UTC
David: Can you please take a quick look at the bug and see if my comment above does actually highlight the problem. If not, any pointers on what to consider would be helpful.
Comment 4 David Eads 2016-05-17 15:13:17 UTC
Roles were recently added to change the way that permission was assigned. Try removing system:authenticated from system:build-strategy-docker and system:build-strategy-custom.
Comment 5 Dan Mace 2016-05-17 18:37:16 UTC
Will be resolved with https://github.com/openshift/online/issues/144
Comment 6 mdong 2016-05-18 02:24:52 UTC
Verified against dev-preview-stg