| Summary: | Limit range values not showing in quotas page of online developer preview. | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Graham Dumpleton <gdumplet> | ||||||||
| Component: | apiserver-auth | Assignee: | Mike Dame <mdame> | ||||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Li Zhe <zhezli> | ||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | medium | ||||||||||
| Version: | unspecified | CC: | abhgupta, aos-bugs, deads, gdumplet, jforrest, jokerman, mmccomas, twiest, yufchang, zhezli | ||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2017-02-16 22:13:17 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Attachments: |
|
||||||||||
|
Description
Graham Dumpleton
2016-10-20 21:55:13 UTC
There are actually two things going on here: 1) applied cluster resource quota should not be returning a 403, we need more details on the error message you are getting back on the request 2) the limit ranges are being intentionally hidden by custom CSS in online, this was a decision by the Online folks, I believe Jake did this. However in 3.3 the Limit Range header is no longer getting hidden by that custom CSS. It doesn't look like we're going to be able to hide the heading using CSS in OpenShift 3.3. Agreed with jake that the console needs to provide a wrapper around this section with a unique enough class name that it can be easily hidden. Content of error response returned to browser is:
{kind: "Status", apiVersion: "v1", metadata: {}, status: "Failure",…}
apiVersion
:
"v1"
code
:
403
details
:
{kind: "appliedclusterresourcequotas"}
kind
:
"appliedclusterresourcequotas"
kind
:
"Status"
message
:
"User "GrahamDumpleton" cannot list appliedclusterresourcequotas in project "python-demos""
metadata
:
{}
reason
:
"Forbidden"
status
:
"Failure"
Same if use oc command line. Remember this is a very old account and so if roles have been getting modified as went along, they may not have be applied back onto old accounts.
$ oc get appliedclusterresourcequotas
User "GrahamDumpleton" cannot list appliedclusterresourcequotas in project "python-demos"
grumpy-old-man:s2i-minimal-notebook graham$ oc get appliedclusterresourcequotas --loglevel 9
I1026 09:30:14.118078 40192 loader.go:330] Config loaded from file /Users/graham/.kube/config
I1026 09:30:14.120125 40192 round_trippers.go:299] curl -k -v -XGET -H "User-Agent: oc/v1.3.1 (darwin/amd64) openshift/dad658d" -H "Authorization: Bearer ..." -H "Accept: application/json, */*" https://api.preview.openshift.com:443/oapi
I1026 09:30:15.270052 40192 round_trippers.go:318] GET https://api.preview.openshift.com:443/oapi 200 OK in 1149 milliseconds
I1026 09:30:15.270106 40192 round_trippers.go:324] Response Headers:
I1026 09:30:15.270118 40192 round_trippers.go:327] Content-Length: 93
I1026 09:30:15.270129 40192 round_trippers.go:327] Cache-Control: no-store
I1026 09:30:15.270138 40192 round_trippers.go:327] Content-Type: application/json
I1026 09:30:15.270147 40192 round_trippers.go:327] Date: Tue, 25 Oct 2016 22:30:15 GMT
I1026 09:30:15.270238 40192 request.go:901] Response Body: {"kind":"APIVersions","apiVersion":"v1","versions":["v1"],"serverAddressByClientCIDRs":null}
I1026 09:30:15.270762 40192 round_trippers.go:299] curl -k -v -XGET -H "Accept: application/json, */*" -H "User-Agent: oc/v1.3.1 (darwin/amd64) openshift/dad658d" -H "Authorization: Bearer ..." https://api.preview.openshift.com:443/version
I1026 09:30:15.575077 40192 round_trippers.go:318] GET https://api.preview.openshift.com:443/version 200 OK in 304 milliseconds
I1026 09:30:15.575168 40192 round_trippers.go:324] Response Headers:
I1026 09:30:15.575202 40192 round_trippers.go:327] Cache-Control: no-store
I1026 09:30:15.575233 40192 round_trippers.go:327] Content-Type: application/json
I1026 09:30:15.575263 40192 round_trippers.go:327] Date: Tue, 25 Oct 2016 22:30:15 GMT
I1026 09:30:15.575294 40192 round_trippers.go:327] Content-Length: 235
I1026 09:30:15.575488 40192 request.go:901] Response Body: {
"major": "1",
"minor": "3",
"gitVersion": "v1.3.0+52492b4",
"gitCommit": "52492b4",
"gitTreeState": "clean",
"buildDate": "2016-10-18T12:31:49Z",
"goVersion": "go1.6.3",
"compiler": "gc",
"platform": "linux/amd64"
}
I1026 09:30:15.582845 40192 cached_discovery.go:80] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/servergroups.json
I1026 09:30:15.583145 40192 cached_discovery.go:38] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/apps/v1alpha1/serverresources.json
I1026 09:30:15.583395 40192 cached_discovery.go:38] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/authentication.k8s.io/v1beta1/serverresources.json
I1026 09:30:15.583532 40192 cached_discovery.go:38] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/autoscaling/v1/serverresources.json
I1026 09:30:15.583612 40192 cached_discovery.go:38] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/batch/v1/serverresources.json
I1026 09:30:15.583695 40192 cached_discovery.go:38] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/batch/v2alpha1/serverresources.json
I1026 09:30:15.583842 40192 cached_discovery.go:38] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/extensions/v1beta1/serverresources.json
I1026 09:30:15.584187 40192 cached_discovery.go:38] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/v1/serverresources.json
I1026 09:30:15.584544 40192 cached_discovery.go:80] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/servergroups.json
I1026 09:30:15.584755 40192 cached_discovery.go:38] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/apps/v1alpha1/serverresources.json
I1026 09:30:15.584990 40192 cached_discovery.go:38] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/authentication.k8s.io/v1beta1/serverresources.json
I1026 09:30:15.585115 40192 cached_discovery.go:38] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/autoscaling/v1/serverresources.json
I1026 09:30:15.585200 40192 cached_discovery.go:38] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/batch/v1/serverresources.json
I1026 09:30:15.585327 40192 cached_discovery.go:38] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/batch/v2alpha1/serverresources.json
I1026 09:30:15.585619 40192 cached_discovery.go:38] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/extensions/v1beta1/serverresources.json
I1026 09:30:15.586162 40192 cached_discovery.go:38] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/v1/serverresources.json
I1026 09:30:15.587399 40192 round_trippers.go:299] curl -k -v -XGET -H "Accept: application/json, */*" -H "User-Agent: oc/v1.3.1 (darwin/amd64) openshift/dad658d" -H "Authorization: Bearer ..." https://api.preview.openshift.com:443/oapi/v1/namespaces/python-demos/appliedclusterresourcequotas
I1026 09:30:15.832826 40192 round_trippers.go:318] GET https://api.preview.openshift.com:443/oapi/v1/namespaces/python-demos/appliedclusterresourcequotas 403 Forbidden in 245 milliseconds
I1026 09:30:15.832858 40192 round_trippers.go:324] Response Headers:
I1026 09:30:15.832865 40192 round_trippers.go:327] Date: Tue, 25 Oct 2016 22:30:15 GMT
I1026 09:30:15.832871 40192 round_trippers.go:327] Content-Length: 299
I1026 09:30:15.832876 40192 round_trippers.go:327] Cache-Control: no-store
I1026 09:30:15.832882 40192 round_trippers.go:327] Content-Type: application/json
I1026 09:30:15.832965 40192 request.go:901] Response Body: {
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "User \"GrahamDumpleton\" cannot list appliedclusterresourcequotas in project \"python-demos\"",
"reason": "Forbidden",
"details": {
"kind": "appliedclusterresourcequotas"
},
"code": 403
}
F1026 09:30:15.833772 40192 helpers.go:110] User "GrahamDumpleton" cannot list appliedclusterresourcequotas in project "python-demos"
@deads take a look at the previous comment @twiest I'm trying to get access to the https://api.preview.openshift.com again (I checked the hack day system before :( ). That forbidden error suggest that either the server isn't at 3.3 or that reconcile roles hasn't been run yet. Are you expecting that to be the case? Jessica or Graham, can you provide output for `oc version` and `oc get clusterroles`? You ought to have rights for both. I have a new account and I'm not seeing the 403 issue. So I think Graham is correct that its something to do with his account that existed before the upgrade. Looking at the about page in the console there is no question this is on 3.3 API at this point. Version OpenShift Master: v3.3.1.3 Kubernetes Master: v1.3.0+52492b4 Graham, can you try the two commands david asked for since this seems specific to your account? @deads: I believe it's been on 3.3 for some time now. # openshift version openshift v3.3.1.3 kubernetes v1.3.0+52492b4 etcd 2.3.0+git The CSS fix to help with hiding the Limit Ranges header in Online is in for 1.4/3.4, assigning this bug to the Auth component to figure out what is actually going on with Graham's account. Output from oc version as given in original report is: oc v1.3.1 kubernetes v1.3.0+52492b4 features: Basic-Auth Server https://api.preview.openshift.com:443 openshift v3.3.1.3 Output of oc get clusterroles is: NAME self-access-reviewer system:replicaset-controller system:pv-recycler-controller system:daemonset-controller sudoer system:webhook system:job-controller system:image-pruner system:image-pusher system:pv-provisioner-controller system:pv-attach-detach-controller system:pet-set-controller system:image-signer system:node system:endpoint-controller system:gc-controller system:image-puller system:build-strategy-source management-infra-admin registry-admin cluster-reader system:image-builder intercom-account-reconciler system:sdn-manager system:replication-controller volume-provisioner system:oauth-token-deleter system:master system:service-serving-cert-controller system:image-auditor system:build-strategy-custom system:pv-binder-controller system:build-strategy-docker openshift-online:admin openshift-online:edit system:router system:node-reader system:deploymentconfig-controller admin basic-user I'm apparently still unapproved. `oc get clusterroles -o yaml` Can you provide the information that David has requested - with the yaml data. Created attachment 1216791 [details]
YAML for cluster roles.
Attached clusteroles as YAML.
BTW, perhaps related is that I get lots of errors if I try and assign role to project that would allow me to use the REST API from within a pod of the project.
$ oc adm policy add-role-to-group view system:serviceaccounts:python-demos
Error from server: rolebinding "view" is forbidden: user "GrahamDumpleton" cannot grant extra privileges:
{Verbs:["get" "list" "watch"], APIGroups:[""], Resources:["appliedclusterresourcequotas"]}
{Verbs:["get" "list" "watch"], APIGroups:[""], Resources:["deploymentconfigs/status"]}
{Verbs:["get" "list" "watch"], APIGroups:[""], Resources:["deployments"]}
{Verbs:["get" "list" "watch"], APIGroups:["apps"], Resources:["petsets"]}
{Verbs:["get" "list" "watch"], APIGroups:["batch"], Resources:["scheduledjobs"]}
{Verbs:["get" "list" "watch"], APIGroups:["extensions"], Resources:["daemonsets"]}
{Verbs:["get" "list" "watch"], APIGroups:["extensions"], Resources:["deployments"]}
{Verbs:["get" "list" "watch"], APIGroups:["extensions"], Resources:["deployments/scale"]}
{Verbs:["get" "list" "watch"], APIGroups:["extensions"], Resources:["replicasets"]}
{Verbs:["get" "list" "watch"], APIGroups:["extensions"], Resources:["replicasets/scale"]}
{Verbs:["view"], APIGroups:["build.openshift.io"], Resources:["jenkins"]}
Looks like the `openshift-online:admin` role has slipped. @abhishek You probably need to check your test that catches drift. You're short several resources. Graham: Can you please provide the rolebindings for the project? apiVersion: v1
items:
- apiVersion: v1
groupNames: null
kind: RoleBinding
metadata:
creationTimestamp: 2016-06-14T09:18:19Z
name: openshift-online:admin
namespace: python-demos
resourceVersion: "9578522"
selfLink: /oapi/v1/namespaces/python-demos/rolebindings/openshift-online:admin
uid: ef4d27ac-3210-11e6-a729-0e63b9c1c48f
roleRef:
name: openshift-online:admin
subjects:
- kind: User
name: GrahamDumpleton
userNames:
- GrahamDumpleton
- apiVersion: v1
groupNames: null
kind: RoleBinding
metadata:
creationTimestamp: 2016-06-14T09:18:20Z
name: system:deployers
namespace: python-demos
resourceVersion: "9578536"
selfLink: /oapi/v1/namespaces/python-demos/rolebindings/system:deployers
uid: ef834fff-3210-11e6-a729-0e63b9c1c48f
roleRef:
name: system:deployer
subjects:
- kind: ServiceAccount
name: deployer
namespace: python-demos
userNames:
- system:serviceaccount:python-demos:deployer
- apiVersion: v1
groupNames: null
kind: RoleBinding
metadata:
creationTimestamp: 2016-06-14T09:18:19Z
name: system:image-builders
namespace: python-demos
resourceVersion: "9578529"
selfLink: /oapi/v1/namespaces/python-demos/rolebindings/system:image-builders
uid: ef77c060-3210-11e6-a729-0e63b9c1c48f
roleRef:
name: system:image-builder
subjects:
- kind: ServiceAccount
name: builder
namespace: python-demos
userNames:
- system:serviceaccount:python-demos:builder
- apiVersion: v1
groupNames:
- system:serviceaccounts:python-demos
kind: RoleBinding
metadata:
creationTimestamp: 2016-06-14T09:18:19Z
name: system:image-pullers
namespace: python-demos
resourceVersion: "9578523"
selfLink: /oapi/v1/namespaces/python-demos/rolebindings/system:image-pullers
uid: ef66b6e1-3210-11e6-a729-0e63b9c1c48f
roleRef:
name: system:image-puller
subjects:
- kind: SystemGroup
name: system:serviceaccounts:python-demos
userNames: null
kind: List
metadata: {}
After fix applied, no longer seeing error notice in web console.
The limits section content in the web console is now empty, which I believe is what is intended, but I would still regard it as a bug that the 'Limit Range' section title still appears. when there is nothing to display in that section.
The command:
oc adm policy add-role-to-group view system:serviceaccounts:python-demos
also now works without errors.
This should be addressed in the next release when Online moves to 3.4. Created attachment 1218301 [details]
Empty Limit Range section.
Add image of problem with web console quotas page where Limit Range section heading is shown, but nothing below.
Jessica: Can you please look into the screenshot that Graham posted above? I am just trying to ensure that this is properly addressed in 3.4. @abhgupta yes we added the wrapper class around the whole limit ranges section in 3.4 but its up to you guys to update your CSS extensions to hide the whole section using that class This has been fixed in DevPreview INT |