Bug 1888464
Summary: | installer missing permission definitions for TagResources and UntagResources when installing in existing VPC | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Greg Sheremeta <gshereme> |
Component: | Installer | Assignee: | Patrick Dillon <padillon> |
Installer sub component: | openshift-installer | QA Contact: | Yunfei Jiang <yunjiang> |
Status: | CLOSED ERRATA | Docs Contact: | |
Severity: | high | ||
Priority: | high | CC: | adahiya, bleanhar, mstaeble, padillon, scuppett, yunjiang |
Version: | 4.5 | ||
Target Milestone: | --- | ||
Target Release: | 4.7.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Cause: installer did not check to ensure AWS accounts had UnTagResources permissions when creating a cluster with shared resources.
Consequence: when destroying a cluster the installer may not have permission to delete tags added to the pre-existing network.
Fix: add permission check for untag resources when creating cluster with shared network resources.
Result: when users create a cluster using shared resources the installer checks to ensure the account has proper permissions.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-02-24 15:26:11 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1898172 |
Description
Greg Sheremeta
2020-10-14 22:06:58 UTC
4.7 PR is up, but may not merge in this sprint. Adding UpcomingSprint. Need to clone this bug and create a new PR for 4.6 (implementation will be slightly different) and cherry pick to previous branches. verified. PASS. version: 4.7.0-0.nightly-2020-11-22-204912 >> Test 1: 1. create IAM user with following policy: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Deny", "Action": [ "tag:UntagResources" ], "Resource": "*" }, { "Effect": "Allow", "Action": "*", "Resource": "*" } ] } 2. Using above new IAM user by default, create cluster: time="2020-11-23T08:49:44Z" level=warning msg="Action not allowed with tested creds" action="tag:UnTagResources" time="2020-11-23T08:49:44Z" level=warning msg="Tested creds not able to perform all requested actions" time="2020-11-23T08:49:44Z" level=fatal msg="failed to fetch Cluster: failed to fetch dependency of \"Cluster\": failed to generate asset \"Platform Permissions Check\": validate AWS credentials: current credentials insufficient for performing cluster installation" >> Test 2: 1. create IAM user with following policy: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Deny", "Action": [ "tag:TagResources" ], "Resource": "*" }, { "Effect": "Allow", "Action": "*", "Resource": "*" } ] } 2. Using above new IAM user by default, a), create cluster successfully, b) tag 'shared' are added to/removed from subnets successfully. c) destroy cluster successfully. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5633 |