Bug 1578319

Summary: _apb_last_requesting_user should be in "--extra-vars" while unbinding
Product: OpenShift Container Platform Reporter: Zhang Cheng <chezhang>
Component: Service BrokerAssignee: Jesus M. Rodriguez <jesusr>
Status: CLOSED ERRATA QA Contact: Zhang Cheng <chezhang>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.10.0CC: aos-bugs, jesusr, jiazha, jmatthew, zhsun, zitang
Target Milestone: ---   
Target Release: 3.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Feature: Automation Broker will now send the last requesting user to the Ansible Playbook Bundles (APB). Reason: Some APBs perform access checks based on the request user. Result: APBs can now see the user that requested the action. They are free to use it for additional authorization checks or simply ignore it if they do not need it.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-30 19:15:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Zhang Cheng 2018-05-15 09:19:54 UTC 
Description of problem: 
No _apb_last_requesting_user in "--extra-vars" while unbinding, and have _apb_last_requesting_user while provision/binding/update/deprovision.


service-catalog & asb image using images from brew registry:
service catalog v3.10.0-0.41.0;Upstream:v0.1.18
asb: 1.2.11


How reproducible:
Always


Steps to Reproduce:
1. Deploy service-catalog & ansible-service-broker in OCP cluster.
2. Set "keep_namespace: true" and "launch_apb_on_bind: true" in broker config.
   openshift:
      keep_namespace: true
    broker:
      launch_apb_on_bind: true
3. Provision MongoDB APB from web console
4. Create a servicebinding from web console  ( it should be failed in here since there is a known bug 1533425 )
5. Delete the servicebinding from web console
6. Check logs of pod in transiant_namespace


Actual results:  
6. No _apb_last_requesting_user in "--extra-vars" while unbinding
# oc logs apb-60e8642d-2503-4268-baae-f61e0da65b71
+ [[ unbind --extra-vars {"_apb_provision_creds":{"DB_HOST":"mongodb","DB_NAME":"sampledb","DB_PASSWORD":"password","DB_PORT":27017,"DB_TYPE":"mongodb","DB_USER":"username"},"cluster":"openshift","namespace":"test1","provision_params":{"MONGODB_ADMIN_PASSWORD":"admin","MONGODB_DATABASE":"sampledb","MONGODB_DATA_STORAGE_SIZE":1,"MONGODB_IMAGE_TAG":"latest","MONGODB_MEMORY_LIMIT":"512Mi","MONGODB_PASSWORD":"password","MONGODB_USER":"username","MONGODB_VERSION":"3.4","USE_UPSTREAM_IMAGES":false,"_apb_last_requesting_user":"chezhang","_apb_plan_id":"ephemeral","_apb_service_class_id":"e9c042c4925dd0c7c25ceca4f5179e1c","_apb_service_instance_id":"e941924b-5817-11e8-91f9-0a580a800003"}} == *\s\2\i\/\a\s\s\e\m\b\l\e* ]]
+ ACTION=unbind


Expected results: 
6. Should have _apb_last_requesting_user in "--extra-vars" while unbinding


Addition info: 
Provision/binding/deprovision looks good to me:
+ [[ provision --extra-vars {"MONGODB_ADMIN_PASSWORD":"admin","MONGODB_DATABASE":"sampledb","MONGODB_DATA_STORAGE_SIZE":1,"MONGODB_IMAGE_TAG":"latest","MONGODB_MEMORY_LIMIT":"512Mi","MONGODB_PASSWORD":"password","MONGODB_USER":"username","MONGODB_VERSION":"3.4","USE_UPSTREAM_IMAGES":false,"_apb_last_requesting_user":"chezhang","_apb_plan_id":"ephemeral","_apb_service_class_id":"e9c042c4925dd0c7c25ceca4f5179e1c","_apb_service_instance_id":"2bd1352a-581a-11e8-91f9-0a580a800003","cluster":"openshift","namespace":"test2"} == *\s\2\i\/\a\s\s\e\m\b\l\e* ]]

+ [[ bind --extra-vars {"_apb_last_requesting_user":"chezhang","_apb_plan_id":"ephemeral","_apb_provision_creds":{"DB_HOST":"mongodb","DB_NAME":"sampledb","DB_PASSWORD":"password","DB_PORT":27017,"DB_TYPE":"mongodb","DB_USER":"username"},"_apb_service_binding_id":"3e373bbb-5818-11e8-91f9-0a580a800003","_apb_service_class_id":"e9c042c4925dd0c7c25ceca4f5179e1c","_apb_service_instance_id":"e941924b-5817-11e8-91f9-0a580a800003","cluster":"openshift","namespace":"test1"} == *\s\2\i\/\a\s\s\e\m\b\l\e* ]]

+ [[ deprovision --extra-vars {"MONGODB_ADMIN_PASSWORD":"admin","MONGODB_DATABASE":"sampledb","MONGODB_DATA_STORAGE_SIZE":1,"MONGODB_IMAGE_TAG":"latest","MONGODB_MEMORY_LIMIT":"512Mi","MONGODB_PASSWORD":"password","MONGODB_USER":"username","MONGODB_VERSION":"3.4","USE_UPSTREAM_IMAGES":false,"_apb_last_requesting_user":"chezhang","_apb_plan_id":"ephemeral","_apb_provision_creds":{"DB_HOST":"mongodb","DB_NAME":"sampledb","DB_PASSWORD":"password","DB_PORT":27017,"DB_TYPE":"mongodb","DB_USER":"username"},"_apb_service_class_id":"e9c042c4925dd0c7c25ceca4f5179e1c","_apb_service_instance_id":"2bd1352a-581a-11e8-91f9-0a580a800003","cluster":"openshift","namespace":"test2"} == *\s\2\i\/\a\s\s\e\m\b\l\e* ]]
Comment 1 Michael Hrivnak 2018-05-15 20:12:07 UTC 
Changing the formatting, here is a comparison of unbind vs. deprovision:


### Unbind
{
    "_apb_provision_creds": {
        "DB_HOST": "mongodb",
        "DB_NAME": "sampledb",
        "DB_PASSWORD": "password",
        "DB_PORT": 27017,
        "DB_TYPE": "mongodb",
        "DB_USER": "username"
    },
    "cluster": "openshift",
    "namespace": "test1",
    "provision_params": {
        "MONGODB_ADMIN_PASSWORD": "admin",
        "MONGODB_DATABASE": "sampledb",
        "MONGODB_DATA_STORAGE_SIZE": 1,
        "MONGODB_IMAGE_TAG": "latest",
        "MONGODB_MEMORY_LIMIT": "512Mi",
        "MONGODB_PASSWORD": "password",
        "MONGODB_USER": "username",
        "MONGODB_VERSION": "3.4",
        "USE_UPSTREAM_IMAGES": false,
        "_apb_last_requesting_user": "chezhang",
        "_apb_plan_id": "ephemeral",
        "_apb_service_class_id": "e9c042c4925dd0c7c25ceca4f5179e1c",
        "_apb_service_instance_id": "e941924b-5817-11e8-91f9-0a580a800003"
    }
}

### Deprovision
{
    "MONGODB_ADMIN_PASSWORD": "admin",
    "MONGODB_DATABASE": "sampledb",
    "MONGODB_DATA_STORAGE_SIZE": 1,
    "MONGODB_IMAGE_TAG": "latest",
    "MONGODB_MEMORY_LIMIT": "512Mi",
    "MONGODB_PASSWORD": "password",
    "MONGODB_USER": "username",
    "MONGODB_VERSION": "3.4",
    "USE_UPSTREAM_IMAGES": false,
    "_apb_last_requesting_user": "chezhang",
    "_apb_plan_id": "ephemeral",
    "_apb_provision_creds": {
        "DB_HOST": "mongodb",
        "DB_NAME": "sampledb",
        "DB_PASSWORD": "password",
        "DB_PORT": 27017,
        "DB_TYPE": "mongodb",
        "DB_USER": "username"
    },
    "_apb_service_class_id": "e9c042c4925dd0c7c25ceca4f5179e1c",
    "_apb_service_instance_id": "2bd1352a-581a-11e8-91f9-0a580a800003",
    "cluster": "openshift",
    "namespace": "test2"
}
Comment 2 Jesus M. Rodriguez 2018-05-17 21:24:25 UTC 
### Provision
{
  "MONGODB_ADMIN_PASSWORD": "admin",
  "MONGODB_DATABASE": "sampledb",
  "MONGODB_DATA_STORAGE_SIZE": 1,
  "MONGODB_IMAGE_TAG": "latest",
  "MONGODB_MEMORY_LIMIT": "512Mi",
  "MONGODB_PASSWORD": "password",
  "MONGODB_USER": "username",
  "MONGODB_VERSION": "3.4",
  "USE_UPSTREAM_IMAGES": false,
  "_apb_last_requesting_user": "admin",
  "_apb_plan_id": "ephemeral",
  "_apb_service_class_id": "e9c042c4925dd0c7c25ceca4f5179e1c",
  "_apb_service_instance_id": "e89d18e3-5a12-11e8-8874-0242ac11000a",
  "cluster": "openshift",
  "namespace": "blog-project"
}


### Bind
{
  "_apb_last_requesting_user": "admin",
  "_apb_plan_id": "ephemeral",
  "_apb_provision_creds": {
    "DB_HOST": "mongodb",
    "DB_NAME": "sampledb",
    "DB_PASSWORD": "password",
    "DB_PORT": 27017,
    "DB_TYPE": "mongodb",
    "DB_USER": "username"
  },
  "_apb_service_binding_id": "0559d887-5a14-11e8-8874-0242ac11000a",
  "_apb_service_class_id": "e9c042c4925dd0c7c25ceca4f5179e1c",
  "_apb_service_instance_id": "e89d18e3-5a12-11e8-8874-0242ac11000a",
  "cluster": "openshift",
  "namespace": "blog-project"
}

Including the unbind output from my current run to match the above information:

### Unbind
{
  "_apb_provision_creds": {
    "DB_HOST": "mongodb",
    "DB_NAME": "sampledb",
    "DB_PASSWORD": "password",
    "DB_PORT": 27017,
    "DB_TYPE": "mongodb",
    "DB_USER": "username"
  },
  "cluster": "openshift",
  "namespace": "blog-project",
  "provision_params": {
    "MONGODB_ADMIN_PASSWORD": "admin",
    "MONGODB_DATABASE": "sampledb",
    "MONGODB_DATA_STORAGE_SIZE": 1,
    "MONGODB_IMAGE_TAG": "latest",
    "MONGODB_MEMORY_LIMIT": "512Mi",
    "MONGODB_PASSWORD": "password",
    "MONGODB_USER": "username",
    "MONGODB_VERSION": "3.4",
    "USE_UPSTREAM_IMAGES": false,
    "_apb_last_requesting_user": "admin",
    "_apb_plan_id": "ephemeral",
    "_apb_service_class_id": "e9c042c4925dd0c7c25ceca4f5179e1c",
    "_apb_service_instance_id": "e89d18e3-5a12-11e8-8874-0242ac11000a"
  }
}
Comment 3 Jesus M. Rodriguez 2018-05-18 02:10:10 UTC 
Fixed in PR 959
https://github.com/openshift/ansible-service-broker/pull/959

{
  "_apb_last_requesting_user": "admin",
  "_apb_plan_id": "85f2cc9b1c440e49dce41f2939dca1d2",
  "_apb_provision_creds": {
    "DB_HOST": "mongodb",
    "DB_NAME": "sampledb",
    "DB_PASSWORD": "password",
    "DB_PORT": 27017,
    "DB_TYPE": "mongodb",
    "DB_USER": "username"
  },
  "_apb_service_binding_id": "9b4aa09c-5a3f-11e8-9f5c-0242ac11000a",
  "_apb_service_instance_id": "b8107972-5a3e-11e8-9f5c-0242ac11000a",
  "cluster": "openshift",
  "namespace": "blog-project",
  "provision_params": {
    "MONGODB_ADMIN_PASSWORD": "admin",
    "MONGODB_DATABASE": "sampledb",
    "MONGODB_DATA_STORAGE_SIZE": 1,
    "MONGODB_IMAGE_TAG": "latest",
    "MONGODB_MEMORY_LIMIT": "512Mi",
    "MONGODB_PASSWORD": "password",
    "MONGODB_USER": "username",
    "MONGODB_VERSION": "3.4",
    "USE_UPSTREAM_IMAGES": false,
    "_apb_last_requesting_user": "admin",
    "_apb_plan_id": "ephemeral",
    "_apb_service_class_id": "e9c042c4925dd0c7c25ceca4f5179e1c",
    "_apb_service_instance_id": "b8107972-5a3e-11e8-9f5c-0242ac11000a"
  }
}
Comment 4 Jesus M. Rodriguez 2018-05-18 02:13:46 UTC 
Also fixed in master by PR 960
https://github.com/openshift/ansible-service-broker/pull/960
Comment 5 Zhang Cheng 2018-05-22 09:23:47 UTC 
Changing status to Modified since downstream image not ready. The latest is asb 1.2.12 in currently.
Comment 6 David Zager 2018-05-22 20:49:34 UTC 
https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=16405697
Comment 7 David Zager 2018-05-24 17:32:35 UTC 
https://errata.devel.redhat.com/advisory/33505 moved to QE

openshift-enterprise-asb-container-v3.10.0-0.51.0.1
openshift-enterprise-mediawiki-apb-v3.10.0-0.51.0.1
openshift-enterprise-postgresql-apb-v3.10.0-0.51.0.1
openshift-enterprise-mysql-apb-v3.10.0-0.51.0.1
openshift-enterprise-mariadb-apb-v3.10.0-0.51.0.1
openshift-enterprise-apb-tools-v3.10.0-0.32.0.2
Comment 8 Zhang Cheng 2018-05-29 09:45:51 UTC 
Verified and passed with asb:1.2.14

{"_apb_last_requesting_user":"chezhang","_apb_plan_id":"85f2cc9b1c440e49dce41f2939dca1d2","_apb_provision_creds":{"DB_HOST":"mongodb","DB_NAME":"sampledb","DB_PASSWORD":"password","DB_PORT":27017,"DB_TYPE":"mongodb","DB_USER":"username"},"_apb_service_binding_id":"3f168d2f-6321-11e8-a7d4-0a580a80000c","_apb_service_instance_id":"eeb54a0c-6320-11e8-a7d4-0a580a80000c","cluster":"openshift","namespace":"mongo","provision_params":{"MONGODB_ADMIN_PASSWORD":"admin","MONGODB_DATABASE":"sampledb","MONGODB_DATA_STORAGE_SIZE":1,"MONGODB_IMAGE_TAG":"latest","MONGODB_MEMORY_LIMIT":"512Mi","MONGODB_PASSWORD":"password","MONGODB_USER":"username","MONGODB_VERSION":"3.4","USE_UPSTREAM_IMAGES":false,"_apb_last_requesting_user":"chezhang","_apb_plan_id":"ephemeral","_apb_service_class_id":"e9c042c4925dd0c7c25ceca4f5179e1c","_apb_service_instance_id":"eeb54a0c-6320-11e8-a7d4-0a580a80000c"}}
Comment 10 errata-xmlrpc 2018-07-30 19:15:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1816