Bug 1509558

Description of problem:
Ordinary users can't describe or update the broker they created if they login with command "oc login -u user --server=xxx:port". The message is: the provided version "servicecatalog.k8s.io/v1beta1" has no relevant versions: group servicecatalog.k8s.io has not been registered
no matches for servicecatalog.k8s.io/, Kind=ClusterServiceBroker


Version-Release number of selected component (if applicable):
openshift v3.7.0-0.191.0
kubernetes v1.7.6+a08f5eeb62
etcd 3.2.8
registry.reg-aws.openshift.com:443/openshift3/ose-service-catalog:v3.7.0-0.191.0

How reproducible:
Always

Steps to Reproduce:
1. Login as an ordinary user1
# oc login -u atestuser1 --server=xxx:port
# oc new-project atestproject1
# oc get secrets

2. Login as system admin, create broker role
# oc login -u system:admin
# oc create -f broker-role.yaml
# cat broker-role.yaml
apiVersion: v1
kind: ClusterRole
metadata:
  name: clusterservicebroker-admin
rules:
- apiGroups:
  - servicecatalog.k8s.io
  attributeRestrictions: null
  resources:
  - clusterservicebrokers
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch

3. Add role to the ordinary user1
# oc adm policy add-cluster-role-to-user clusterservicebroker-admin atestuser1
# oc admin policy who-can create clusterservicebrokers

4. User1 can create a broker with its auth secret
# oc login -u atestuser1 --server=xxx:port
# oc policy can-i create clusterservicebrokers
# oc create -f broker.yaml
# cat broker.yaml
apiVersion: servicecatalog.k8s.io/v1beta1
kind: ClusterServiceBroker
metadata:
  name: abroker
spec:
  url: http://abroker.svc.cluster.local
  authInfo:
    bearer:
      secretRef:
        namespace: atestproject1
        name: default-token-8kcsh
[Note] Choose one of the secret in atestproject1 as secretRef name here

5. Update the broker with user1's another secret (e.g default-token-4dmfd in atestproject1)
# oc edit cluserservicebroker abroker

6. Login the master with user1 directly and describe/update the broker with user1's another secret.
# ssh master
# oc login -u atestuser1


Actual results:
1. [root@qwang_laptop qwang]# oc get secret -n atestproject1
NAME                       TYPE                                  DATA      AGE
builder-dockercfg-q22cd    kubernetes.io/dockercfg               1         30m
builder-token-5mlkn        kubernetes.io/service-account-token   4         30m
builder-token-bbp5h        kubernetes.io/service-account-token   4         30m
default-dockercfg-c8xvj    kubernetes.io/dockercfg               1         30m
default-token-4dmfd        kubernetes.io/service-account-token   4         30m
default-token-8kcsh        kubernetes.io/service-account-token   4         30m
deployer-dockercfg-jfbzg   kubernetes.io/dockercfg               1         30m
deployer-token-frspw       kubernetes.io/service-account-token   4         30m
deployer-token-gsz8k       kubernetes.io/service-account-token   4         30m

4. [root@qwang_laptop qwang]# oc create -f broker.yaml 
clusterservicebroker "abroker" created

[root@qwang_laptop qwang]# oc get clusterservicebroker
NAME                     KIND
abroker                  ClusterServiceBroker.v1beta1.servicecatalog.k8s.io
ansible-service-broker   ClusterServiceBroker.v1beta1.servicecatalog.k8s.io

5. [root@qwang_laptop qwang]# oc edit clusterservicebroker abroker
the provided version "servicecatalog.k8s.io/v1beta1" has no relevant versions: group servicecatalog.k8s.io has not been registered
no matches for servicecatalog.k8s.io/, Kind=ClusterServiceBroker

[root@qwang_laptop qwang]# oc describe clusterservicebroker abroker
the provided version "servicecatalog.k8s.io/v1beta1" has no relevant versions: group servicecatalog.k8s.io has not been registered
no matches for servicecatalog.k8s.io/, Kind=ClusterServiceBroker

6. User1 can describe/update the broker with user1's another auth secret successfully if login the master.


Expected results:
5. User1 has access to its auth secret, so user1 can create and update the broker resource according to the ClusterRole.


Additional info: