Bug 1496753
| Summary: | Viewer could not get serviceinstance | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Yadan Pei <yapei> |
| Component: | Service Broker | Assignee: | Jeff Peeler <jpeeler> |
| Status: | CLOSED ERRATA | QA Contact: | Yadan Pei <yapei> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 3.7.0 | CC: | aos-bugs, bparees, gmontero, jminter, pmorie, spadgett, wmeng, wzheng, xtian, yapei |
| Target Milestone: | --- | ||
| Target Release: | 3.7.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Cause: RBAC rules were not set up properly for the view role.
Consequence: Any user with the view role could not get/list/watch any serviceinstances.
Fix: Add the proper RBAC rules to the view role.
Result: Any user with the view role can now access serviceinstances as expected.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-11-28 22:13:20 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Yadan Pei
2017-09-28 09:43:55 UTC
Related issue: https://github.com/openshift/origin/issues/16585 Since Simo was assigned 16585, assigning this bugzilla to him as well. We'll let him decide if we need to carry both issues (they seem to be the same root cause on the surface). Or reassign if I have misread things :-) CC:ing a few potentially interested parties as well. Reassigning, this is Service Catalog territory Paul, this is blocking acceptance of a 3.7 trello card. Can you find someone to make these changes? This should actually be fixed in master now. Checked on v3.7.0-0.143.3 brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/ose-service-catalog v3.7 3327e47e8acc 18 hours ago 348.2 MB 1. User "yapei" provision service successfully in project/yapei-test # oc get serviceinstance -n yapei-test NAME KIND dh-hello-world-apb-m1kqw ServiceInstance.v1alpha1.servicecatalog.k8s.io 2. Add view role to user "yapeiview" on project/yapei-test # oc get rolebinding -n yapei-test NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS view /view yapeiview 3. User "yapeiview" login and check serviceinstance # oc login --server=<server> ...... Username: yapeiview Password: Login successful. You have one project on this server: "yapei-test" Using project "yapei-test". Welcome! See 'oc help' to get started. # oc get serviceinstance Error from server (Forbidden): User "yapeiview" cannot list serviceinstances.servicecatalog.k8s.io in the namespace "yapei-test": User "yapeiview" cannot list serviceinstances.servicecatalog.k8s.io in project "yapei-test" (get serviceinstances.servicecatalog.k8s.io) The issue still reproduce, assign back Apologies; I realize now that I have misunderstood this bug. Jeff, we will need to add code to pkg/oc/bootstrap/docker/openshift/servicecatalog.go that alters the view role to add list/get/watch permissions on serviceinstances and servicebindings. PR has been merged Waiting for fix in bug 1506976 merged to verify this bug Checked on v3.7.0-0.190.0 registry.reg-aws.openshift.com:443/openshift3/ose-service-catalog v3.7.0-0.190.0 2a40aff211de 16 hours ago 266 MB User with 'view' role could watch ServiceInstances on web console & CLI $ oc policy add-role-to-user view <user> -n <project> Move to VERIFIED Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:3188 |