Bug 1538732

Summary: Broker does not respect scopes or groups of a user when determining access to run APB
Product: OpenShift Container Platform Reporter: Shawn Hurley <shurley>
Component: Service BrokerAssignee: Shawn Hurley <shurley>
Status: CLOSED ERRATA QA Contact: Zhang Cheng <chezhang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.9.0CC: aos-bugs, chezhang, wjiang, xtian
Target Milestone: ---   
Target Release: 3.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: ASB was not passing extra scopes to the subject rules review. Consequence: The limitation of scopes to not be respected. Fix: Send scopes to subject rules review Result:
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-28 14:22:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Shawn Hurley 2018-01-25 17:10:25 UTC 
Description of problem:
The broker does not take into account the groups a user is a member of when determining the permissions and will deny them even if they have access.

The broker does not take into account the scopes of a user when determining the permissions and could allow a user to execute even if they do not have full access. 


Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. Create user with no permissions but a member of a group that has admin access to the namespace
2. Provision app into the namespace
3. ASB will deny the user.

1. Create user with cluster-role admin but limit the scope to a namespace
2. Provision app into another namespace
3. ASB will allow the user to provision the app

Actual results:


Expected results:
The ASB should respect the correct permissions.

Additional info:
Comment 1 Shawn Hurley 2018-01-30 15:51:28 UTC 
Fixed in PRs:

https://github.com/openshift/ansible-service-broker/pull/696 for version 1.0
https://github.com/openshift/ansible-service-broker/pull/694 for version 1.1
https://github.com/openshift/ansible-service-broker/pull/693 for canary and latest version.
Comment 3 Zhang Cheng 2018-02-04 11:46:27 UTC 
Changing status to "MODIFIED" since downstream image not ready for test.
Comment 4 Zhang Cheng 2018-02-06 05:55:34 UTC 
PR #694 was merged in 1.1.9, and downstream image ready for test. Changing status to ON_QA
Comment 8 errata-xmlrpc 2018-03-28 14:22:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0489