Bug 1913717
Summary: | Users should have read permitions for golden images data volumes | ||
---|---|---|---|
Product: | Container Native Virtualization (CNV) | Reporter: | Yaacov Zamir <yzamir> |
Component: | SSP | Assignee: | Omer Yahud <oyahud> |
Status: | CLOSED ERRATA | QA Contact: | Sarah Bennert <sbennert> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 2.6.0 | CC: | cnv-qe-bugs, sbennert |
Target Milestone: | --- | ||
Target Release: | 2.6.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | kubevirt-ssp-operator-container-v2.6.0-33 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-03-10 11:22:46 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Yaacov Zamir
2021-01-07 13:17:14 UTC
Upstream PR: https://github.com/kubevirt/ssp-operator/pull/83 QE Manual Test =============================================================== Environment: $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.7.0-fc.4 True False 17h Cluster version is 4.7.0-fc.4 $ oc get csv -n openshift-cnv NAME DISPLAY VERSION REPLACES PHASE kubevirt-hyperconverged-operator.v2.6.0 OpenShift Virtualization 2.6.0 kubevirt-hyperconverged-operator.v2.5.3 Succeeded $ oc get deploy -n openshift-cnv ssp-operator -owide NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR ssp-operator 1/1 1 1 16h manager registry.redhat.io/container-native-virtualization/kubevirt-ssp-operator@sha256:87b0e51e4a584b61a149f8825b917ebf61a7c201048cbff891887aef0feeab7d control-plane=ssp-operator SSP Version: kubevirt-ssp-operator-container-v2.6.0-37 =============================================================== Setup test-user https://docs.openshift.com/container-platform/4.6/authentication/identity_providers/configuring-htpasswd-identity-provider.html $ htpasswd -c -B -b users.htpasswd test-user test-password $ oc -n openshift-config delete secret htpass-secret $ oc create secret generic htpass-secret --from-file=htpasswd=users.htpasswd --dry-run=client -o yaml -n openshift-config | oc create -f - $ cat << "EOF" > test-oauth.yaml apiVersion: config.openshift.io/v1 kind: OAuth metadata: name: cluster spec: identityProviders: - name: my_htpasswd_provider mappingMethod: claim type: HTPasswd htpasswd: fileData: name: htpass-secret EOF $ oc apply -f test-oauth.yaml # Add either 'view' or 'edit' role to test-user $ oc adm policy add-cluster-role-to-user view test-user =============================================================== 1. As an admin user start uploading a PVC into the "golden image" namespace using a DV https://github.com/kubevirt/containerized-data-importer/blob/master/doc/datavolumes.md $ oc project openshift-virtualization-os-images $ cat << "EOF" > dv-test.yaml apiVersion: cdi.kubevirt.io/v1beta1 kind: DataVolume metadata: name: test-dv spec: source: http: url: "https://download-ib01.fedoraproject.org/pub/fedora/linux/releases/33/Cloud/x86_64/images/Fedora-Cloud-Base-33-1.2.x86_64.qcow2" pvc: volumeMode: Block storageClassName: "ocs-storagecluster-ceph-rbd" accessModes: - ReadWriteMany resources: requests: storage: "5Gi" EOF $ oc apply -f dv-test.yaml $ oc get dv -w test-dv ImportScheduled N/A 9s test-dv ImportInProgress N/A 14s test-dv ImportInProgress 0.00% 15s =============================================================== 2. As a regular user try to get the upload status of the PVC using the owner DV Expected results: User can read PVC upload progress using owner DV Switch back to default project $ oc project default $ oc login -u test-user Logged into "..." as "test-user" using existing credentials. Using project "default". $ oc get dv -n openshift-virtualization-os-images -w NAME PHASE PROGRESS RESTARTS AGE test-dv ImportInProgress 14.12% 45s ... Results: User can read PVC upload progress using owner DV Update, had used ClusterRole in this test: https://bugzilla.redhat.com/show_bug.cgi?id=1913717#c2 Additional tests: =============================================================== Role $ oc adm policy remove-cluster-role-from-user view test-user clusterrole.rbac.authorization.k8s.io/view removed: "test-user" $ oc adm policy remove-cluster-role-from-user edit test-user error: unable to locate any ClusterRoleBinding for ClusterRole "edit" $ oc adm policy add-role-to-user view test-user $ oc login -u test-user Logged into "..." as "test-user" using existing credentials. You have access to the following projects and can switch between them with 'oc project <projectname>': * default openshift-virtualization-os-images Using project "default". $ oc get dv -n openshift-virtualization-os-images -w NAME PHASE PROGRESS RESTARTS AGE test-dv ImportInProgress 89.22% 3m1s =============================================================== No Roles $ oc adm policy remove-role-from-user view test-user clusterrole.rbac.authorization.k8s.io/view removed: "test-user" $ oc login -u test-user Logged into "..." as "test-user" using existing credentials. You have one project on this server: "openshift-virtualization-os-images" Using project "openshift-virtualization-os-images". $ oc get dv -n openshift-virtualization-os-images -w NAME PHASE PROGRESS RESTARTS AGE test-dv Succeeded 100.0% 11m Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Virtualization 2.6.0 security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:0799 |