Bug 1420247
| Summary: | Inconsistent message of web and CLI about adding role system:image-builder/system:deployer to serviceaccount of another project | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Yadan Pei <yapei> |
| Component: | Management Console | Assignee: | bpeterse |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Yadan Pei <yapei> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 3.5.0 | CC: | aos-bugs, jforrest, jokerman, mmccomas, spadgett, tdawson, xiaocwan |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-03-08 14:41:55 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Agree, the following should be true: - if current user does not have cluster-admin for the project, the system:image-builder should not be allowed to be granted (currently, cli is correct) - if current user does have cluster-admin for this project, the role system:image-builder should be allowed to be granted. PR coming to fix the web console shortly. PR open to fix: https://github.com/openshift/origin-web-console/pull/1229 This has been merged into ocp and is in OCP v3.5.0.19 or newer. Verified on v3.5.0.19+199197c with original steps when user does not have cluster-admin role When user does have cluster-admin role, web console shows 'The role "system:image-builder" was granted to "builder".' while CLI shows 'role "system:image-builder" added: "serviceaccount:test1:builder"'. Both could be accepted. |
Description of problem: Inconsistence of web and CLI about adding role system:image-builder/system:deployer to serviceaccount of another project Version-Release number of selected component (if applicable): v3.5.0.17+c55cf2b How reproducible: Always Steps to Reproduce: 1.Create project 'test1' and 'test2' 2.Grant serviceaccount:builder in 'test1' with system:image-builder role to project 'test2' Go to project 'test2' -> Membership -> Edit Membership -> Serviceaccounts tab -> Select test1/builder from Name -> Select system:image-builder from Role -> Click Add 3.Try to grant serviceaccount:builder in 'test1' with system:image-builder role to project 'test2' through CLI $ oc policy add-role-to-user system:image-builder serviceaccount:test1:builder -n test2 Actual results: 2. Give message after clicking Add: The role "system:image-builder" has already been granted to "builder" 3. Gives error message: $ oc policy add-role-to-user system:image-builder serviceaccount:test1:builder -n test2 Error from server (Forbidden): rolebinding "system:image-builders" is forbidden: user "yapei" cannot grant extra privileges: {Verbs:["update"], APIGroups:[""], Resources:["builds/details"]} Expected results: 2. Web console should give error output since we didn't add role "system:image-builder" to "test1:builder" successfully, also the error message should keep consistent with CLI Additional info: system:image-puller and system:image-pusher have no this problem. Giving system:image-builder to non-serviceaccount user has no this problem. The same problems happens when adding role system:deployer to service account CLI gives error message: $ oc policy add-role-to-user system:deployer serviceaccount:test1:deployer -n test2 Error from server (Forbidden): rolebinding "system:deployers" is forbidden: user "yapei" cannot grant extra privileges: {Verbs:["create"], APIGroups:[""], Resources:["events"]} While web console return successful message: The role "system:deployer" has already been granted to "deployer".