Bug 1336345

Summary: Build strategy Docker and custom should not be allowed in dev-preview-stg
Product: OpenShift Online Reporter: mdong
Component: BuildAssignee: Dan Mace <dmace>
Status: CLOSED CURRENTRELEASE QA Contact: Wenjing Zheng <wzheng>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.xCC: aos-bugs, dakini, deads, dmace, xtian
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-23 17:32:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1303130    

Description mdong 2016-05-16 08:44:39 UTC
Description of problem:
When generate a build using build strategy with Docker, it should be failed due to build strategy Docker is not allowed.

Version-Release number of selected component (if applicable):
openshift v3.2.0.44
kubernetes v1.2.0-36-g4a3f9c5
etcd 2.2.5

How reproducible:

Steps to Reproduce:
1. Create a project named: test
2. Run the command to generated build:
oc new-build centos/ruby-22-centos7~https://github.com/openshift/ruby-hello-world.git --name=docker-bc --strategy=docker

Actual results:
Build completed.

Expected results:
error: buildconfigs "docker-bc" is forbidden: build strategy Docker is not allowed

Additional info:
Custom build can be created successfully in dev-preview-stg, but it should not be allowed.  
The same behavior is for new user and existed user.

Comment 1 Ben Parees 2016-05-16 14:16:56 UTC
I assume this is an auth/role configuration issue in dev-preview-stg.

Comment 2 Abhishek Gupta 2016-05-16 23:53:06 UTC
The custom roles that we have in Online seem to be configured correctly. Also, the project template seems to correctly link to the customer project admin role (openshift-online:admin). However, I believe the issue is that the "system:authenticated" group seems to have access to do a docker build. I am not sure if this is a recent change. If this is indeed the issue (need to run it past David/Jordan), then we just need to remove build access for docker and custom strategies from the system:authenticated group.

This is from Dev Preview STG.

$ oc policy who-can create builds/docker
Users:  system:serviceaccount:openshift-infra:build-controller

Groups: system:authenticated

$ oc policy who-can create builds/custom
Users:  system:serviceaccount:openshift-infra:build-controller

Groups: system:authenticated

Comment 3 Abhishek Gupta 2016-05-17 00:01:22 UTC
David: Can you please take a quick look at the bug and see if my comment above does actually highlight the problem. If not, any pointers on what to consider would be helpful.

Comment 4 David Eads 2016-05-17 15:13:17 UTC
Roles were recently added to change the way that permission was assigned.  Try removing system:authenticated from system:build-strategy-docker and system:build-strategy-custom.

Comment 5 Dan Mace 2016-05-17 18:37:16 UTC
Will be resolved with https://github.com/openshift/online/issues/144

Comment 6 mdong 2016-05-18 02:24:52 UTC
Verified against dev-preview-stg