Bug 1383638

Summary:	[platformmanagement_public_649] The API will not return the allowed message when sent PodSecurityPolicySubjectReview with specific user name
Product:	OKD	Reporter:	weiwei jiang <wjiang>
Component:	Master	Assignee:	Maciej Szulik <maszulik>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Chuan Yu <chuyu>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	3.x	CC:	aos-bugs, chuyu, mfojtik, mmccomas, wsun
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-12-09 21:50:11 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description weiwei jiang 2016-10-11 10:16:42 UTC

Description of problem:
When send api to post PodSecurityPolicySubjectReview with specific user name, got 

  "status": {
    "template": {
      "metadata": {
        "creationTimestamp": null
      },
      "spec": {
        "containers": null,
        "restartPolicy": "Always",
        "terminationGracePeriodSeconds": 30,
        "dnsPolicy": "ClusterFirst",
        "securityContext": {}
      }
    }


Version-Release number of selected component (if applicable):
devenv-rhel7_5161

How reproducible:
always

Steps to Reproduce:
1. Send api to post PodSecurityPolicySubjectReview
{
    "kind": "PodSecurityPolicySubjectReview",
    "apiVersion": "v1",
    "metadata": {
        "name": "pspsr"
    },
    "spec": {
        "template": {
            "spec": {
            "containers": [
                {
                    "name": "hello-openshift",
                    "image": "aosqe/hello-openshift",
                    "ports": [
                        {
                            "containerPort": 8080,
                            "protocol": "TCP"
                        }
                    ],
                    "resources": {

                    },
                    "volumeMounts": [
                        {
                            "name": "tmp",
                            "mountPath": "/tmp"
                        }
                    ],
                    "terminationMessagePath": "/dev/termination-log",
                    "imagePullPolicy": "IfNotPresent",
                    "securityContext": {
                        "capabilities": {

                        },
                        "privileged": false
                    }
                }
            ],
            "volumes": [
                {
                    "name": "tmp",
                    "emptyDir": {

                    }
                }
            ],
            "restartPolicy": "Always",
            "dnsPolicy": "ClusterFirst",
            "serviceAccountName": "default"
            }
        },
        "user": "wjiang"
    },
    "status": {

    }
}
 curl -k -H "Authorization: Bearer `oc whoami -t`" "https://localhost:8443/oapi/v1/namespaces/wjiang/podsecuritypolicysubjectreviews" -X POST -d @pspsr -H "Content-Type: application/json"
2. Check the result
3.

Actual results:
{                                                                                                                                                                                                                                                                   [693/3132]
  "kind": "PodSecurityPolicySubjectReview",
  "apiVersion": "v1",
  "spec": {
    "template": {
      "metadata": {
        "creationTimestamp": null
      },
      "spec": {
        "volumes": [
          {
            "name": "tmp",
            "emptyDir": {}
          }
        ],
        "containers": [
          {
            "name": "hello-openshift",
            "image": "aosqe/hello-openshift",
            "ports": [
              {
                "containerPort": 8080,
                "protocol": "TCP"
              }
            ],
            "resources": {},
            "volumeMounts": [
              {
                "name": "tmp",
                "mountPath": "/tmp"
              }
            ],
            "terminationMessagePath": "/dev/termination-log",
            "imagePullPolicy": "IfNotPresent",
            "securityContext": {
              "capabilities": {},
              "privileged": false
            }
          }
        ],
        "restartPolicy": "Always",
        "terminationGracePeriodSeconds": 30,
        "dnsPolicy": "ClusterFirst",
        "serviceAccountName": "default",
        "serviceAccount": "default",
        "securityContext": {}
      }
    },
    "user": "wjiang"
  },
  "status": {
    "template": {
      "metadata": {
        "creationTimestamp": null
      },
      "spec": {
        "containers": null,
        "restartPolicy": "Always",
        "terminationGracePeriodSeconds": 30,
        "dnsPolicy": "ClusterFirst",
        "securityContext": {}
      }
    }
  }
}

Expected results:
Should list the sccs in allowedby.

Additional info:

Comment 1 Maciej Szulik 2016-10-26 13:55:41 UTC

PR in flight: https://github.com/openshift/origin/pull/11389

Comment 2 Maciej Szulik 2016-10-27 13:16:53 UTC

No fix is needed, you can ignore previous comment.

To keep consistent with other SAR endpoints a user needs to specify both user and groups to get reasonable information back. [1] explicitly states you need to specify both to get proper answer in the light of username and the groups he's in.


[1] https://github.com/openshift/origin/blob/125ed10fa7103f46c5aa1593210ca0e1d417ea4b/pkg/security/api/types.go#L27-L29

I'm moving this back to ON_QA.

Comment 3 Chuan Yu 2016-10-28 13:48:55 UTC

When specify both user and groups, could get reasonable information back.