| Summary: | [DOCS] [userinterface_public_502] granted clusterrole lost in page membership and not working if granted on console | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | XiaochuanWang <xiaocwan> |
| Component: | Documentation | Assignee: | Ashley Hardin <ahardin> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | bpeterse |
| Severity: | medium | Docs Contact: | Vikram Goyal <vigoyal> |
| Priority: | medium | ||
| Version: | 3.4.0 | CC: | aos-bugs, bpeterse, jokerman, mmccomas, xxia |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-01-09 19:55:44 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
XiaochuanWang
2016-10-25 10:03:08 UTC
This works as expected, though it is a bit confusing. Here is the doc: https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#roles And I'll attempt to explain: - user1 is a 'cluster-admin' at the cluster level. - We don't list cluster lvl policy anywhere in the UI, we only list local policy to a project. therefore, user1 shows as a project 'admin' in the project. - When user2 is given 'cluster-admin', this is local, at the project level. It is essentially super admin for the project. This grants access to edit things like resource limits which a project 'admin' does not have. - user2 can't list all projects because this user isn't 'cluster-admin' at the cluster level. - user2 does have a greater role than user1 within the project, but user1 is still an actual 'cluster-admin' at the cluster level so ultimately has more privilege. - The web console isn't built for cluster admins, its built for more typical users so there is no place currently for user1 to go see their cluster policy. - Any 'cluster-*' roles granted by the UI are going to be project scoped. In the end, I agree it is confusing, but this is the way the API works. Thanks for explain bpeterse. That makes sense, I can understand the scope of "cluster-" roles in better way now.
Let me simply confirm with you, the "cluster-*" role assigned by project admin is limited in project, this is not the same "cluster-*" role granted by cluster-admin or system:admin.
Does it also explain the reason project admin can "oc get clusterrole" but can not "oc get clusterrolebinding"?
I tested with a project admin, "oc get clusterrole|grep admin" will get "cluster-admin", but how does project user assign this "cluster-admin" to others in project scope? I tried "oc policy add-role-to-user cluster-admin user2" and get below error:
Error from server: rolebinding "cluster-admin" is forbidden: user "user1" cannot grant extra privileges:
{Verbs:["*"], APIGroups:["*"], Resources:["*"]}
{Verbs:["*"], NonResourceURLs:["*"]}"
Thanks, this original bug could be closed.
Correct. Cluster roles are roles defined at the cluster level, but can be bound either at the cluster level or at the project level. Most roles are cluster roles, it is rare to have a local role at all. To create a local role for a project, I'd suggest copying an existing cluster role: - oc get clusterrole view -o yaml > clusterrole_view.yml - cp clusterrole_view.yml role_awesomeview.yml - vim role_awesomeview.yml - change name to awesomeview - change kind to Role - remove resourceVersion, selfLink, uid, creationTimestamp - optionally add namespace: project-name (this might be filled it when you create the role in a project, i forget atm) - save file - oc create -f path/to/role_awesomeview.yml - optionally annotate with a description To use the new role: - oadm policy add-role-to-user awesomeview user2 For your cluster-role example, you would have: - oadm policy add-cluster-role-to-user cluster-admin user2 - which will make a local binding with the cluster role - this is more or less a project super admin, can edit quota & a few extras Within a project, a user who is a project admin should be able to see rolebindings, not clusterrolebindings. Hope that helps! Opening this back up and setting it to Documentation. We should assess the docs & make sure they are extremely clear since this use case is understandably confusing. (In reply to bpeterse from comment #4) > Opening this back up and setting it to Documentation. We should assess the > docs & make sure they are extremely clear since this use case is > understandably confusing. Hey there, Are the docs for 3.3 confusing about this or is this something we should clarify for 3.4? I'm looking at this: https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#roles I would say the above discussion around this bug is that the topic is generally covered, but still unclear. I expect many users may follow the same logic around a 'cluster-admin' kind of role and wonder why a user granted this role can't do what is expected (because a role with "cluster-" in the name at a local scope is not intuitive). Perhaps after rereading the docs carefully it makes sense, but ideally we could clarify up front and avoid the confusion. An example may be all that is needed. This could be a docs update for 3.4 only if it includes a screenshot of the UI in this particular state, a 'cluster-admin' who created a project that only shows 'admin' but granted 'cluster-admin' to another user within the local scope of the project. Work in progress: https://github.com/openshift/openshift-docs/pull/3178 reviewing, thx! Looks good on openshift/oc v3.4.0.38, will mark it as VERIFIED when PR#3178 merged.
Now web console is consistent with cli as below,project admin has been restricted to grant "cluster-admin" to user in project level:
On web console, below error message will pop up when user try to add "cluster-admin" to other user, this is different than original description step3, but looks good:
The role "cluster-admin" could not be granted to "xiaocwan1".Reason: "rolebinding "cluster-admin" is forbidden: user "xiaocwan" cannot grant extra privileges: {Verbs:["*"], APIGroups:["*"], Resources:["*"]} {Verbs:["*"], NonResourceURLs:["*"]}"
# oc policy add-role-to-user cluster-admin user2
Error from server: rolebinding "cluster-admin" is forbidden: user "xiaocwan" cannot grant extra privileges:
{Verbs:["*"], APIGroups:["*"], Resources:["*"]}
{Verbs:["*"], NonResourceURLs:["*"]}
Add comments for PR https://github.com/openshift/openshift-docs/pull/3178/files Will move it to VERIFIED when PR merged. Pull request LGTM now. thanks. Will move it to VERIFIED when PR merged. Commits pushed to master at https://github.com/openshift/openshift-docs https://github.com/openshift/openshift-docs/commit/18f5948b956551134b25f0e5bc18c544161c94c6 Bug 1388415, added clarification around cluster roles https://github.com/openshift/openshift-docs/commit/4b4c644d2a71a1c394661e7d9bfe247c0f8b16b6 Merge pull request #3178 from ahardin-rh/cluster-role Bug 1388415, added clarification around cluster roles |