Bug 1336345
Summary: | Build strategy Docker and custom should not be allowed in dev-preview-stg | ||
---|---|---|---|
Product: | OpenShift Online | Reporter: | mdong |
Component: | Build | Assignee: | Dan Mace <dmace> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Wenjing Zheng <wzheng> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3.x | CC: | aos-bugs, dakini, deads, dmace, xtian |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-06-23 17:32:44 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1303130 |
Description
mdong
2016-05-16 08:44:39 UTC
I assume this is an auth/role configuration issue in dev-preview-stg. The custom roles that we have in Online seem to be configured correctly. Also, the project template seems to correctly link to the customer project admin role (openshift-online:admin). However, I believe the issue is that the "system:authenticated" group seems to have access to do a docker build. I am not sure if this is a recent change. If this is indeed the issue (need to run it past David/Jordan), then we just need to remove build access for docker and custom strategies from the system:authenticated group. ---------------- This is from Dev Preview STG. $ oc policy who-can create builds/docker Users: system:serviceaccount:openshift-infra:build-controller Groups: system:authenticated system:cluster-admins system:masters $ oc policy who-can create builds/custom Users: system:serviceaccount:openshift-infra:build-controller Groups: system:authenticated system:cluster-admins system:masters David: Can you please take a quick look at the bug and see if my comment above does actually highlight the problem. If not, any pointers on what to consider would be helpful. Roles were recently added to change the way that permission was assigned. Try removing system:authenticated from system:build-strategy-docker and system:build-strategy-custom. Will be resolved with https://github.com/openshift/online/issues/144 Verified against dev-preview-stg |