Bug 1569348

Summary: [atomic registry] support to add role to service account as member
Product: OpenShift Container Platform Reporter: Xingxing Xia <xxia>
Component: Registry ConsoleAssignee: Martin Pitt <mpitt>
Status: CLOSED ERRATA QA Contact: Yanping Zhang <yanpzhan>
Severity: low Docs Contact:
Priority: medium    
Version: 3.10.0CC: aos-bugs, mpitt, smunilla, yapei
Target Milestone: ---   
Target Release: 3.10.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-09-22 04:55:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Xingxing Xia 2018-04-19 06:26:24 UTC 
Description of problem:
On registry console, add role to service account, e.g. system:serviceaccount:xxia-proj:default, it will prompt 'member name contains invalid characters'. It should support service account.

Version-Release number of selected component (if applicable):
cockpit 154

How reproducible:
Always

Steps to Reproduce:
1. On registry console, create project. Click nav menu 'Projects', select the project, click 'Add Member'.

2. In the dialogue, input system:serviceaccount:xxia-proj-2:default and select role Pull, click 'Add'


Actual results:
2. It prompts:
The member name contains invalid characters. Only letters, numbers, spaces and the following symbols are allowed: , = @ . _

Expected results:
2. It should support adding service account

Additional info:
Comment 1 Martin Pitt 2018-04-24 07:43:10 UTC 
Upstream PR to fix this: https://github.com/cockpit-project/cockpit/pull/9033
Comment 2 Martin Pitt 2018-04-25 08:59:57 UTC 
Setting a tentative target release. Xingxing or anyone else, please adjust as you see fit.
Comment 4 Xingxing Xia 2018-05-16 08:21:48 UTC 
Checked the latest registry console in OCP 3.10 env, issue still exists.
The env uses below image as registry console:
registry.reg...com:443/openshift3/registry-console              v3.10               eaca67e14beb        11 hours ago        243 MB

# oc rsh registry-console-1-phbmc rpm -qa | grep "cockpit"
cockpit-ws-155-1.el7.x86_64
cockpit-dashboard-165-3.el7.x86_64
cockpit-system-155-1.el7.noarch
cockpit-bridge-155-1.el7.x86_64
cockpit-kubernetes-155-1.el7.x86_64

Martin, looks like the fix does not yet land in latest registry-console image, which version will it land in?
Comment 5 Martin Pitt 2018-05-23 07:13:46 UTC 
@Xingxing: The fix is in upstream release 167.
Comment 6 Yanping Zhang 2018-07-04 08:47:27 UTC 
Checked on OCP v3.10.12, the bug still exists.

Here are the related info about registry console:
# docker images|grep registry-console
registry.reg-aws.openshift.com:443/openshift3/registry-console              v3.10               21a0d79b97e6        9 hours ago         255 MB

# oc rsh registry-console-1-v9c5f rpm -qa|grep cockpit
cockpit-bridge-155-1.el7.x86_64
cockpit-kubernetes-155-1.el7.x86_64
cockpit-ws-155-1.el7.x86_64
cockpit-dashboard-169-1.el7.x86_64
cockpit-system-155-1.el7.noarch

# rpm -qa|grep cockpit
cockpit-system-169-1.el7.noarch
cockpit-docker-169-1.el7.x86_64
cockpit-bridge-169-1.el7.x86_64
cockpit-ostree-169-1.el7.x86_64

@Martin, the packages versions vary from 155 to 169, which cockpit package exactly has relation to the bug? If non of above packages contains the fix, could you pls ask someone to prepare an ocp build containing the cockpit fix.
Comment 7 Martin Pitt 2018-07-04 09:45:15 UTC 
@Yanping: The fix is in cockpit-kubernetes. You need version 167 or later, you have 155.
Comment 9 Yanping Zhang 2018-07-19 06:33:41 UTC 
Checked on OCP v3.10.18, the bug still exists, and cockpit packages are still old versions.
# oc rsh registry-console-1-45qmh rpm -qa|grep cockpit
cockpit-ws-154-3.el7.x86_64
cockpit-dashboard-169-1.el7.x86_64
cockpit-system-154-3.el7.noarch
cockpit-bridge-154-3.el7.x86_64
cockpit-kubernetes-155-1.el7.x86_64

Samuel,
Could we remove this bug from advisory 33464? since no build contains the fix.
Comment 12 Yadan Pei 2018-07-24 02:54:16 UTC 
The 3.10.14 going to ship in 33464 don't include cockpit-kubernetes >=167, we can't verify it now and need drop this bug from the advisory
Comment 17 Yadan Pei 2018-09-10 03:09:33 UTC 
1. Create project "yapei-test"
2. Projects -> Add Member -> Add Pull role to serviceaccount system:serviceaccount:yapei-test:default
3. Check if rolebinding is added
# oc get rolebinding -n yapei-test
NAME                    ROLE                    USERS                                    GROUPS                            SERVICE ACCOUNTS   SUBJECTS
admin                   /admin                  yapei                                                                                         
registry-admin          /registry-admin         yapei                                                                                         
registry-viewer         /registry-viewer        system:serviceaccount:yapei-test:default                                                        


role was added to serviceaccount successfully

Verified on openshift v3.11.0-0.32.0 and cockpit 176

# oc rsh -n default registry-console-1-v5pqm
sh-4.2$ rpm -qa | grep cockpit
cockpit-bridge-176-2.el7.x86_64
cockpit-kubernetes-176-2.el7.x86_64
cockpit-ws-176-2.el7.x86_64
cockpit-dashboard-176-2.el7.x86_64
cockpit-system-176-2.el7.noarch
Comment 19 errata-xmlrpc 2018-09-22 04:55:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2660