Bug 1841035

Summary: The regular user should have access right for volumesnapshots.snapshot.storage.k8s.io and volumesnapshotclasses.snapshot.storage.k8s.io APIs
Product: OpenShift Container Platform Reporter: Qin Ping <piqin>
Component: StorageAssignee: Jan Safranek <jsafrane>
Storage sub component: Operators QA Contact: Wei Duan <wduan>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: medium CC: aos-bugs, jsafrane
Version: 4.5   
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 16:01:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Qin Ping 2020-05-28 08:09:29 UTC 
Description of problem:
The regular user should have access right for volumesnapshots.snapshot.storage.k8s.io and volumesnapshotclasses.snapshot.storage.k8s.io APIs


Version-Release number of selected component (if applicable):
$ oc get clusterversion --context=admin
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.5.0-0.nightly-2020-05-27-040756   True        False         6h9m    Cluster version is 4.5.0-0.nightly-2020-05-27-040756


How reproducible:
Always

Steps to Reproduce:
1. list volumesnapshotclass and volumesnapshot objects with a regular user.
2.
3.

Actual results:
$ oc get volumesnapshots
Error from server (Forbidden): volumesnapshots.snapshot.storage.k8s.io is forbidden: User "testuser-0" cannot list resource "volumesnapshots" in API group "snapshot.storage.k8s.io" in the namespace "default"

$ oc get volumesnapshotclasses
Error from server (Forbidden): volumesnapshotclasses.snapshot.storage.k8s.io is forbidden: User "testuser-0" cannot list resource "volumesnapshotclasses" in API group "snapshot.storage.k8s.io" at the cluster scope


Expected results:
The regular user can list these two types of objects successfully. 

Master Log:

Node Log (of failed PODs):

PV Dump:

PVC Dump:

StorageClass Dump (if StorageClass used by PV/PVC):

Additional info:
Comment 3 Jan Safranek 2020-06-25 13:55:12 UTC 
All PRs have been merged.
Comment 6 Wei Duan 2020-07-17 10:07:29 UTC 
Verified pass

[wduan@MINT azuredisk]$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2020-07-16-211200   True        False         7h6m    Cluster version is 4.6.0-0.nightly-2020-07-16-211200


Execute as testuser-0
testuser-0 could list the volumesnapshotclasses created by cluster admin
[wduan@MINT azuredisk]$ oc get volumesnapshotclasses
NAME            DRIVER               DELETIONPOLICY   AGE
csi-snapclass   disk.csi.azure.com   Delete           40s

testuser-0 could create/list the volumesnapshot
[wduan@MINT azuredisk]$ oc create -f VolumeSnapshot_withclass.yaml
volumesnapshot.snapshot.storage.k8s.io/mysnapshot01 created
[wduan@MINT azuredisk]$ oc get volumesnapshot mysnapshot01
NAME           READYTOUSE   SOURCEPVC   SOURCESNAPSHOTCONTENT   RESTORESIZE   SNAPSHOTCLASS   SNAPSHOTCONTENT                                    CREATIONTIME   AGE
mysnapshot01   true         pvc-ori                             2Gi           csi-snapclass   snapcontent-a9c6fb76-17f8-44e2-85e5-684d952a1962   4m53s          7m5s
Comment 8 errata-xmlrpc 2020-10-27 16:01:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196