Bug 1506976
Summary: | [TSB] Cannot see resources in webconsole after provision a template to an un-owned project which only have view and create/list/get/delete serviceinstance role granted | ||||||
---|---|---|---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Wenjing Zheng <wzheng> | ||||
Component: | Service Broker | Assignee: | Matthew Staebler <mstaeble> | ||||
Status: | CLOSED ERRATA | QA Contact: | Wenjing Zheng <wzheng> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 3.7.0 | CC: | aos-bugs, bparees, eparis, gmontero, jforrest, jokerman, mmccomas, pmorie, xiuwang | ||||
Target Milestone: | --- | ||||||
Target Release: | 3.7.0 | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | No Doc Update | |||||
Doc Text: |
undefined
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-11-28 22:20:01 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Wenjing Zheng
2017-10-27 10:11:39 UTC
Below senario also has met this issue. UserA has view role to project C which owned by userB.Then userA can't see provision resources in projectC in web console. This is either a security bug or a web console bug. I don't think it's likely specific to the service catalog resources (though it may be specific to the service catalog flows through the web console). Going to start it w/ the web console and let them take it from there, but adding Paul Morie just in case. I can't reproduce. I see this error when I try to provision: Error MariaDB (Persistent) failed to provision in roles. Error provisioning ServiceInstance of ClusterServiceClass (K8S: "f1541bee-bb26-11e7-b4f6-ba7715b40875" ExternalName: "mariadb-persistent") at ClusterServiceBroker "template-service-broker": Status: 403; ErrorMessage: <nil>; Description: templateinstances.template.openshift.io "0ef3e752-551e-4414-998c-4f6073e414b3" is forbidden: User "tsb-test" cannot create templateinstances.template.openshift.io in project "roles"; ResponseError: <nil> When I go to the project overview, I see the provisioned service immediately, however. Created attachment 1344522 [details]
Provisioned service is visible immediately
The provision failed, but I can see the service immediately.
I am running cluster up, however, so this might be specific to the catalog installed via the ansible installation We check if the user can watch serviceinstances. It looks like the view role cannot watch serviceinstances in an ansible install. https://github.com/openshift/origin-web-console/blob/master/app/scripts/controllers/overview.js#L1341 Matthew- It looks like the view roles need to be updated in the installer, similar to https://github.com/openshift/origin/pull/16872 . Would you take a look? I am somewhat confused about what we want to do with this bug. As far as I can tell, the issue is that the role created in the Step 5 requires "watch" permissions for ServiceInstances, because the web console verfies that the user has the "watch" permission before fetching the ServiceInstances. So, which of the following is the underlying issue here that needs to be addressed? 1) The steps to set up the role for the other user are missing the "watch" permission. 2) The user should not have to add a special service catalog role to give another user permission. The permissions should be included automatically as part of the view role on the project. 3) The web console should not rely on the user having "watch" permission on ServiceInstances. A user with View permission on a project should have watch on service instances. The View role is not getting updated correctly by the ansible installer. Verified with below version: openshift v3.7.0-0.190.0 kubernetes v1.7.6+a08f5eeb62 etcd 3.2.8 Can create serviceinstance and see it immediately in web console with steps in description. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:3188 |