Bug 1717124

Summary: cluster reader is unable to read configs.samples.operator.openshift.io
Product: OpenShift Container Platform Reporter: Eric Paris <eparis>
Component: TemplatesAssignee: Gabe Montero <gmontero>
Status: CLOSED ERRATA QA Contact: XiuJuan Wang <xiuwang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.1.0CC: aos-bugs, gmontero, jokerman, jupierce, mkhan, mmccomas, wzheng
Target Milestone: ---   
Target Release: 4.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: The samples operator was not creating a cluster role that aggregated into the cluster-reader role. Consequence: Users with the cluster-reader role could not read the config object for the samples operator. Fix: The manifest of the samples operator was updated to include a cluster role for read only access to its config object which aggregated into the cluster-reader role. Result: Users with cluster-reader can now read/list/watch the config object for the samples operator.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-16 06:31:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eric Paris 2019-06-04 18:06:49 UTC 
I'm told that David or Clayton can point you to where to fix this, but the 'cluster-reader' role is unable to read the samples operator config. Since this is not a priv escalation, to read the config, it should be allowed.
Comment 1 Mo 2019-07-23 00:06:52 UTC 
(In reply to Eric Paris from comment #0)
> I'm told that David or Clayton can point you to where to fix this, but the
> 'cluster-reader' role is unable to read the samples operator config. Since
> this is not a priv escalation, to read the config, it should be allowed.

Pretty sure this applies to all of the operator resources we have in the operator.openshift.io group.
Comment 2 Mo 2019-07-23 00:07:43 UTC 
See

    oc get clusterrole.rbac system:openshift:cluster-config-operator:cluster-reader -o yaml

as example for how the we handle the config resources
Comment 3 Gabe Montero 2019-07-30 15:30:09 UTC 
ooh PR ref automatically added with the new git/bugzilla bot
Comment 4 Eric Paris 2019-07-30 16:45:39 UTC 
Steve K did some amazing work starting to get these systems to work together.
Comment 6 XiuJuan Wang 2019-08-01 08:41:25 UTC 
Verified with 4.2.0-0.nightly-2019-08-01-035705 version. 

Add system:openshift:cluster-samples-operator:cluster-reader clusterrole to a common user.
#oc adm  policy add-cluster-role-to-user system:openshift:cluster-samples-operator:cluster-reader xiuwang1

Then user could fetch the samples operator crd.
$oc whoami 
xiuwang1
$oc get config.samples.operator 
NAME      AGE
cluster   11m
$oc patch config.samples.operator cluster -p '{"spec":{"managementState": "Unmanaged"}}' 
Error from server (Forbidden): configs.samples.operator.openshift.io "cluster" is forbidden: User "xiuwang1" cannot patch resource "configs" in API group "samples.operator.openshift.io" at the cluster scope
Comment 8 errata-xmlrpc 2019-10-16 06:31:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922