Bug 1550162

Summary: CLI 3.7 fails on OCP 3.6 using "oc new-app"
Product: OpenShift Container Platform Reporter: Peter Larsen <plarsen>
Component: ocAssignee: Juan Vallejo <jvallejo>
Status: CLOSED DUPLICATE QA Contact: Xingxing Xia <xxia>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.7.1CC: aos-bugs, jokerman, mmccomas, rhowe
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-28 16:50:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Peter Larsen 2018-02-28 16:39:27 UTC 
Description of problem:
When running as a "normal" user - a project admin (not cluster admin), access to image streams under -n openshift fails when using "oc new-app". 

$ oc new-app --name=dc-metro-map https://github.com/RedHatGov/openshift-workshops.git --context-dir=dc-metro-map
error: Error from server (Forbidden): User "ocp-peter" cannot list imagestreams.image.openshift.io in project "openshift"
error: only a partial match was found for "nodejs": "docker.io/readytalk/nodejs:latest"

The argument "nodejs" only partially matched the following Docker image, OpenShift image stream, or template:

* Docker image "docker.io/readytalk/nodejs:latest", 6bbe12d, from local, 274.381mb
  Use --docker-image="docker.io/readytalk/nodejs:latest" to specify this image or template


This same command succeeds when using a cluster admin (same project etc).

You can make the 3.7 CLI work if you make the following changes to the shared-resource-viewer in -n openshift:

$ oc get role shared-resource-viewer -o json
{
    "apiVersion": "v1",
    "kind": "Role",
    "metadata": {
        "annotations": {
            "openshift.io/reconcile-protect": "false"
        },
        "creationTimestamp": "2018-02-28T16:33:53Z",
        "name": "shared-resource-viewer",
        "namespace": "openshift",
        "resourceVersion": "276",
        "selfLink": "/oapi/v1/namespaces/openshift/roles/shared-resource-viewer",
        "uid": "2a506cea-1ca5-11e8-b5fa-54ee7586bd69"
    },
    "rules": [
        {
            "apiGroups": [
                "",
                "template.openshift.io"
            ],
            "attributeRestrictions": null,
            "resources": [
                "templates"
            ],
            "verbs": [
                "get",
                "list",
                "watch"
            ]
        },
        {
            "apiGroups": [
                "",
                "image.openshift.io"
            ],
            "attributeRestrictions": null,
            "resources": [
                "imagestreamimages",
                "imagestreams",
                "imagestreamtags"
            ],
            "verbs": [
                "get",
                "list",
                "watch"
            ]
        },
        {
            "apiGroups": [
                "",
                "image.openshift.io"
            ],
            "attributeRestrictions": null,
            "resources": [
                "imagestreams/layers"
            ],
            "verbs": [
                "get"
            ]
        }
    ]
}

This is the content of the object on 3.7 - on 3.6 the values are the same except for "apiGroup" which is missing on 3.6.

HOWEVER - setting this value makes the web-console fail with the same security error on 3.6 - this is not a viable work-around.  The only fix is to use CLI 3.6.1 or similar.

Version-Release number of selected component (if applicable):
$ oc versoin
oc v3.7.23
kubernetes v1.7.6+a08f5eeb62
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://master.rhsademo.net:443
openshift v3.6.173.0.5
kubernetes v1.6.1+5115d708d7

How reproducible:
Every time

Steps to Reproduce:
1. Setup standard 3.6 cluster - single node or single master - nothing advanced
2. Login as a NORMAL user (no special cluster rights)
3. Create an app based on https://github.com/RedHatGov/openshift-workshops.git (nodejs) - any stream will do, at least the ones I've tried.

Actual results:

You'll get an access denied error (see above)

Expected results:

Completed creation of "new-app" objects.

Additional info:
Have not tested against 3.5 - have not tried multiple 3.7 CLI versions.
Comment 1 Ryan Howe 2018-02-28 16:47:52 UTC 
Looks to be a dup of this bug.

https://bugzilla.redhat.com/show_bug.cgi?id=1493213

With a fix outlined here. 

https://github.com/openshift/origin/pull/16465#issuecomment-331203378
Comment 2 Ryan Howe 2018-02-28 16:49:18 UTC 
PR that was merged to fix this via the installer. 
   https://github.com/openshift/openshift-ansible/pull/5617
Comment 3 Ryan Howe 2018-02-28 16:50:32 UTC 

*** This bug has been marked as a duplicate of bug 1493213 ***