Bug 1787504
Summary: | cannot impersonate the user group on console [openshift-4.4] | ||||||
---|---|---|---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | shahan <hasha> | ||||
Component: | Management Console | Assignee: | Samuel Padgett <spadgett> | ||||
Status: | CLOSED ERRATA | QA Contact: | Yadan Pei <yapei> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 4.3.0 | CC: | aos-bugs, bpeterse, jokerman, sgoodwin, swasthan | ||||
Target Milestone: | --- | Flags: | swasthan:
needinfo+
|
||||
Target Release: | 4.4.0 | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: |
In some cases, the web console would show an error when impersonating a role binding for a group. The web console now allows you to impersonate a group.
|
Story Points: | --- | ||||
Clone Of: | |||||||
: | 1800331 (view as bug list) | Environment: | |||||
Last Closed: | 2020-05-04 11:22:00 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1800331 | ||||||
Attachments: |
|
1. create group $ cat group1.yaml kind: Group apiVersion: user.openshift.io/v1 metadata: name: group1 users: - testuser-26 - testuser-27 2. create rolebinding for group $ cat hashapro1-rb.yaml kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hashapro1-rb namespace: hasha-pro1 subjects: - kind: Group apiGroup: rbac.authorization.k8s.io name: group1 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: admin 3. goto User management->group->group1->role binding list page, click "Impersonate Group "group1" action of hashapro1-rb rolebinding now console can impersonate the user group without click 4.4.0-0.nightly-2020-02-07-033907 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0581 |
Created attachment 1649329 [details] loading Description of problem: cannot impersonate the user group on console Version-Release number of selected component (if applicable): 4.3.0-0.nightly-2020-01-02-214950 How reproducible: Always Steps to Reproduce: 1. create group $ cat group1.yaml kind: Group apiVersion: user.openshift.io/v1 metadata: name: group1 users: - testuser-26 - testuser-27 2. create rolebinding for group $ cat hashapro1-rb.yaml kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hashapro1-rb namespace: hasha-pro1 subjects: - kind: Group apiGroup: rbac.authorization.k8s.io name: group1 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: admin 3. goto User management->group->group1->role binding list page, click "Impersonate Group "group1" action of hashapro1-rb rolebinding Actual results: 3. The page always loading till you do click on a page, see screeshot. get error like: /api/kubernetes/apis/config.openshift.io/v1/infrastructures/cluster:1 Failed to load resource: the server responded with a status of 403 (Forbidden) Expected results: kubeadmin impersonated as group1 have hasha-pro1 project admin permission only. Additional info: kubeadmin login via cli: $ oc get po --as=testuser-26 --as-group=group1 Error from server (Forbidden): pods is forbidden: User "testuser-26" cannot list resource "pods" in API group "" in the namespace "default" $ oc get po -n hasha-pro1 --as=testuser-26 --as-group=group1 NAME READY STATUS RESTARTS AGE example-75778c488-k269c 1/1 Running 0 15s example-75778c488-lrdnx 1/1 Running 0 15s example-75778c488-zzxcj 1/1 Running 0 15s