Bug 1924480
| Summary: | non cluster admin can not take VM snapshot: An error occurred, cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on | ||||||
|---|---|---|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Ying Cui <ycui> | ||||
| Component: | Console Kubevirt Plugin | Assignee: | Tomas Jelinek <tjelinek> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Guohua Ouyang <gouyang> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | urgent | ||||||
| Version: | 4.7 | CC: | alitke, aos-bugs, gouyang, yzamir | ||||
| Target Milestone: | --- | ||||||
| Target Release: | 4.7.0 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | No Doc Update | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2021-02-24 15:58:08 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1923987 | ||||||
| Attachments: |
|
||||||
Looks like a virt bug. *** Bug 1924922 has been marked as a duplicate of this bug. *** verified on ocp-4.7.0-rc.0 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5633 |
Created attachment 1754608 [details] error_vm_snapshot_non_cluster_admin Description of problem: Non cluster admin user can not take VM snapshot, an error occurred. virtualmachinesnapshots.snapshot.kubevirt.io "testsnapshot" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: , <nil> Version-Release number of selected component (if applicable): ocp 4.7 How reproducible: 100% Note: cluster admin user does not have this issue. Steps to Reproduce: 1. non cluster admin user login: e.g tester 2. create the VM in project(e.g testing-day) the non-cluster-admin user has Admin role in this project. 3. VM is running in this project. 4. stop the VM 5. Click the "Take Snapshot" button. Actual results: an error occurred. virtualmachinesnapshots.snapshot.kubevirt.io "testsnapshot" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: , <nil> Expected results: user can take snapshot in the project which the user has Admin role in this project. Additional info: 1. Note: cluster admin user does not have this issue. 2. $ oc describe rolebinding.rbac -n testing-day Name: admin Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: admin Subjects: Kind Name Namespace ---- ---- --------- User tester Name: system:deployers Labels: <none> Annotations: openshift.io/description: Allows deploymentconfigs in this namespace to rollout pods in this namespace. It is auto-managed by a controller; remove subjects to disa... Role: Kind: ClusterRole Name: system:deployer Subjects: Kind Name Namespace ---- ---- --------- ServiceAccount deployer testing-day Name: system:image-builders Labels: <none> Annotations: openshift.io/description: Allows builds in this namespace to push images to this namespace. It is auto-managed by a controller; remove subjects to disable. Role: Kind: ClusterRole Name: system:image-builder Subjects: Kind Name Namespace ---- ---- --------- ServiceAccount builder testing-day Name: system:image-pullers Labels: <none> Annotations: openshift.io/description: Allows all pods in this namespace to pull images from this namespace. It is auto-managed by a controller; remove subjects to disable. Role: Kind: ClusterRole Name: system:image-puller Subjects: Kind Name Namespace ---- ---- --------- Group system:serviceaccounts:testing-day