Bug 1717124
Summary: | cluster reader is unable to read configs.samples.operator.openshift.io | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Eric Paris <eparis> |
Component: | Templates | Assignee: | Gabe Montero <gmontero> |
Status: | CLOSED ERRATA | QA Contact: | XiuJuan Wang <xiuwang> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 4.1.0 | CC: | aos-bugs, gmontero, jokerman, jupierce, mkhan, mmccomas, wzheng |
Target Milestone: | --- | ||
Target Release: | 4.2.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Cause: The samples operator was not creating a cluster role that aggregated into the cluster-reader role.
Consequence: Users with the cluster-reader role could not read the config object for the samples operator.
Fix: The manifest of the samples operator was updated to include a cluster role for read only access to its config object which aggregated into the cluster-reader role.
Result: Users with cluster-reader can now read/list/watch the config object for the samples operator.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-10-16 06:31:10 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Eric Paris
2019-06-04 18:06:49 UTC
(In reply to Eric Paris from comment #0) > I'm told that David or Clayton can point you to where to fix this, but the > 'cluster-reader' role is unable to read the samples operator config. Since > this is not a priv escalation, to read the config, it should be allowed. Pretty sure this applies to all of the operator resources we have in the operator.openshift.io group. See oc get clusterrole.rbac system:openshift:cluster-config-operator:cluster-reader -o yaml as example for how the we handle the config resources ooh PR ref automatically added with the new git/bugzilla bot Steve K did some amazing work starting to get these systems to work together. Verified with 4.2.0-0.nightly-2019-08-01-035705 version. Add system:openshift:cluster-samples-operator:cluster-reader clusterrole to a common user. #oc adm policy add-cluster-role-to-user system:openshift:cluster-samples-operator:cluster-reader xiuwang1 Then user could fetch the samples operator crd. $oc whoami xiuwang1 $oc get config.samples.operator NAME AGE cluster 11m $oc patch config.samples.operator cluster -p '{"spec":{"managementState": "Unmanaged"}}' Error from server (Forbidden): configs.samples.operator.openshift.io "cluster" is forbidden: User "xiuwang1" cannot patch resource "configs" in API group "samples.operator.openshift.io" at the cluster scope Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2922 |