Bug 1383240

Summary:	[atomic registry]Can't add username with email address format to project
Product:	OpenShift Container Platform	Reporter:	DeShuai Ma <dma>
Component:	Management Console	Assignee:	Dominik Perpeet <dperpeet>
Status:	CLOSED ERRATA	QA Contact:	DeShuai Ma <dma>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	3.3.1	CC:	aos-bugs, dma, jokerman, mmccomas, mpitt, pweil, tdawson, yapei
Target Milestone:	---
Target Release:	3.4.z
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-03-02 20:58:34 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description DeShuai Ma 2016-10-10 09:31:06 UTC

Description of problem:
When add member to projects, if the user name is email address format, it can't be added, always tip 'The member name contains invalid characters.'

Version-Release number of selected component (if applicable):
openshift v3.3.1.1
registry-console image id: 57a566a04a79  brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/registry-console

How reproducible:
Always

Steps to Reproduce:
1. Login registry-console
2. Click projects and select your project
3. Click 'Add member'
4. Input user with email address format

Actual results:
4. Tip 'The member name contains invalid characters.'

Expected results:
4. Add user successfully

Additional info:
[root@host-8-175-118 dma]# oc get users
NAME                  UID                                    FULL NAME             IDENTITIES
dma        6cdfd35b-8ebf-11e6-af1d-fa163ef84c30   dma        LDAP_auth:uid=dma,ou=People,dc=my-domain,dc=com

Comment 2 Martin Pitt 2017-01-19 16:37:23 UTC

Please forgive my ignorance, I'm new to all this. Are user names in the form of an email address even valid in OpenShift? I am looking at

  https://docs.openshift.com/container-platform/3.4/architecture/core_concepts/projects_and_users.html

and there is no indication about email-style user names? Is there some documentation/specification that suggests that it is? Thanks!

Comment 3 Yadan Pei 2017-01-20 08:48:39 UTC

Hi Martin,

For OpenShift, we have multiple authentication methods(https://docs.openshift.com/container-platform/3.4/install_config/configuring_authentication.html#install-config-configuring-authentication), if we could add email-style user name successfully for one authentication method then we should take user name in the form of email address as valid for OpenShift.

Does this answer your question?

Comment 4 DeShuai Ma 2017-01-20 08:57:02 UTC

User names in the form of email address is valid in openshift.
On master get users, we can see:
[root@openshift-105 ~]# oc get users|grep test
test1     5aa46fbc-deed-11e6-87db-fa163ea061ca               allow_all:test1
test      292c7804-deed-11e6-87db-fa163ea061ca               allow_all:test

But in registry-console can't add email format user to project.

Comment 5 Martin Pitt 2017-01-23 10:22:57 UTC

Apparently OpenShift itself does not make any restrictions wrt. member names. Email format works fine:

[root@f1 ~]# oc patch --namespace=marmalade policybinding ':default' -p '{"roleBindings":[{"name":"edit","roleBinding":{"metadata":{"name":"edit","namespace":"marmalade"},"userNames":["foo"],"groupNames":null,"subjects":[{"kind":"User","name":"foo"},{"kind":"User","name":"foo"}],"roleRef":{"name":"edit"}}}]}'

[root@f1 ~]# oc get rolebindings
NAME      ROLE      USERS             GROUPS    SERVICE ACCOUNTS   SUBJECTS
edit      /edit     foo                                


But even a completely ridiculous one works:

# oc patch --namespace=marmalade policybinding ':default' -p '{"roleBindings":[{"name":"edit","roleBinding":{"metadata":{"name":"edit","namespace":"marmalade"},"userNames":["foo ^ bar"],"groupNames":null,"subjects":[{"kind":"User","name":"foo ^ bar"},{"kind":"User","name":"foo ^ bar"}],"roleRef":{"name":"edit"}}}]}'

[root@f1 ~]# oc get rolebindings
NAME      ROLE      USERS       GROUPS    SERVICE ACCOUNTS   SUBJECTS
edit      /edit     foo ^ bar

So it seems fine to me to make this more liberal in the registry.

Comment 6 Martin Pitt 2017-01-23 14:16:49 UTC

kubernetes also supports/suggests email-style user names: https://kubernetes.io/docs/admin/authentication/

Comment 7 Martin Pitt 2017-01-23 14:58:47 UTC

Fix proposed in https://github.com/cockpit-project/cockpit/pull/5785

Comment 8 Dominik Perpeet 2017-01-25 12:00:00 UTC

Merged upstream, will be part of Cockpit 130

Comment 9 Dominik Perpeet 2017-01-25 12:01:26 UTC

upstream commit with fix: https://github.com/cockpit-project/cockpit/commit/ba6896c3c1c9eeba32d9b146f3e9475fd7071f3d

Comment 10 Troy Dawson 2017-02-27 21:35:07 UTC

This is fixed in 3.4 with image
  openshift3/registry-console:3.4-4

Those images should be in the usual testing areas for testing.

Comment 12 DeShuai Ma 2017-02-28 09:43:01 UTC

Verify on openshift3/registry-console:3.4-4, now can add member with email address format.

Comment 14 errata-xmlrpc 2017-03-02 20:58:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0434