Bug 1418979

Summary: Not possible to show user's own roles for non-admins
Product: OpenShift Container Platform Reporter: Martin Pitt <mpitt>
Component: Image RegistryAssignee: Michal Fojtik <mfojtik>
Status: CLOSED NOTABUG QA Contact: Wei Sun <wsun>
Severity: low Docs Contact:
Priority: low    
Version: 3.4.0CC: aos-bugs, mpitt
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-08 09:09:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1373448    

Description Martin Pitt 2017-02-03 10:40:49 UTC 
Description of problem:

When trying to fix bug 1373448 in cockpit (Should not show 'docker tag' and 'docker push' message on ImageStream page when user without push role), I noticed that it seems impossible to find out the roles of the currently logged in user if they are not an admin. It would be nice to not offer commands related to pushing images if the user only has a "registry-view" role and thus cannot actually push images (that's "registry-edit").

I read various documentation [1][2] and checked Google/Stackoverflow, to no avail. So this is at least a documentation issue, or possibly it's not currently allowed at all.

See reproduction steps below for details.

[1] https://docs.openshift.com/container-platform/3.4/architecture/core_concepts/projects_and_users.html
[2] https://docs.openshift.com/container-platform/3.4/admin_solutions/user_role_mgmt.html

Version-Release number of selected component (if applicable):

# oc version
oc v1.4.1+3f9807a
kubernetes v1.4.0+776c994
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://10.111.112.101:8443
openshift v1.4.1+3f9807a
kubernetes v1.4.0+776c994


How reproducible:


Steps to Reproduce:
1. Log in as admin ("oc whoami" shows something like "system:admin").

2. Create some project and switch to it:
   # oc project myproj

3. Create a user who is a registry-viewer and another one who is a registry-editor:
   # oadm policy add-role-to-user registry-viewer pulluser 
   # oadm policy add-role-to-user registry-editor pushuser

4. Create/log in as pushuser:
   # printf "pushuser\nabc\n" | oc login

5. Try to find anything about your capabilities/roles:

   # oc get images
   No resources found.
   Error from server: User "pushuser" cannot list all images in the cluster
   # oc describe roleBindings
   Error from server: User "pushuser" cannot list rolebindings in project "myproj"
   # oc describe policyBindings :default
   Error from server: User "pushuser" cannot get policybindings in project "myproj"

6. The same happens for pulluser. Although that part would be okay, it'd be sufficient to have registry-editors be able to find out about their capabilities.
Comment 1 Michal Fojtik 2017-02-06 10:14:18 UTC 
Have you looked at 'oc can-i' command? You should be able to figure out if users can push.

AFAIK, registry-viewer/editor roles does not allow to list all images in the cluster (only cluster-admin can).
Comment 2 Martin Pitt 2017-02-08 09:09:15 UTC 
Indeed, "oc policy can-i update imagestreamimages" seems to do what I want. Many thanks for your help!