Bug 1927983

Summary: User cannot create the project when configuring a specific Resource Name in ClusterRole
Product: OpenShift Container Platform Reporter: yhe
Component: apiserver-authAssignee: David Eads <deads>
Status: CLOSED NOTABUG QA Contact: pmali
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.6CC: aos-bugs, deads, mfojtik, sttts
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-12 14:59:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description yhe 2021-02-12 01:44:38 UTC 
Description of problem:
When disabling project self-provisioning and create a ClusterRole to allow the user to create a project with a specific name, 
the user cannot create the project, and an "Error from server (Forbidden): You may not request a new project via this API." error occurs.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Disable project self-provisioning
https://docs.openshift.com/container-platform/4.6/applications/projects/configuring-project-creation.html#disabling-project-self-provisioning_configuring-project-creation

2. Create a ClusterRole and configuring a specific Resource Name

$ oc describe clusterrole test-cluster-role
Name:         test-cluster-role
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources                             Non-Resource URLs  Resource Names   Verbs
  ---------                             -----------------  --------------   -----
  projectrequests                       []                 [reserved-name]  [create]
  projectrequests.project.openshift.io  []                 [reserved-name]  [create]

3. Bind the ClusterRole to the user

$ oc adm policy add-cluster-role-to-user test-cluster-role user1
clusterrole.rbac.authorization.k8s.io/test-cluster-role added: "user1"

4. log in as the user and try to create a project with the configured name.

$ oc login -u user1
Logged into "https://api.yhe-blue.jp.apacshift.support:6443" as "user1" using existing credentials.

$ oc new-project reserved-name
Error from server (Forbidden): You may not request a new project via this API.

$ oc new-project reserved-name --loglevel=10
I0210 01:58:48.845218    4118 loader.go:375] Config loaded from file:  /home/ec2-user/.kube/config
I0210 01:58:48.846115    4118 round_trippers.go:423] curl -k -v -XGET  -H "Authorization: Bearer sha256~Fu8HOUs7Fp5psTprPRf1ZF-4LAd_rUqouTStSPidiuE" -H "Accept: application/json, */*" -H "User-Agent: oc/openshift (linux/amd64) kubernetes/02c1100" 'https://api.yhe-blue.jp.apacshift.support:6443/apis/project.openshift.io/v1/projectrequests'
I0210 01:58:48.883943    4118 round_trippers.go:443] GET https://api.yhe-blue.jp.apacshift.support:6443/apis/project.openshift.io/v1/projectrequests 403 Forbidden in 37 milliseconds
I0210 01:58:48.884029    4118 round_trippers.go:449] Response Headers:
I0210 01:58:48.884078    4118 round_trippers.go:452]     Cache-Control: no-cache, private
I0210 01:58:48.884136    4118 round_trippers.go:452]     Cache-Control: no-store
I0210 01:58:48.884168    4118 round_trippers.go:452]     Content-Type: application/json
I0210 01:58:48.884229    4118 round_trippers.go:452]     Date: Wed, 10 Feb 2021 01:58:48 GMT
I0210 01:58:48.884268    4118 round_trippers.go:452]     X-Kubernetes-Pf-Flowschema-Uid: 7350d5ad-8891-47e9-931c-13c975c03f05
I0210 01:58:48.884332    4118 round_trippers.go:452]     X-Kubernetes-Pf-Prioritylevel-Uid: 1af91f60-82e4-445d-afd9-74511fecc350
I0210 01:58:48.884369    4118 round_trippers.go:452]     Content-Length: 228
I0210 01:58:48.884407    4118 round_trippers.go:452]     Audit-Id: 3bf2d088-e72f-4267-b5b9-dc3e96f65253
I0210 01:58:48.884488    4118 request.go:1097] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"You may not request a new project via this API.","reason":"Forbidden","details":{"group":"project.openshift.io","kind":"projectrequest"},"code":403}
I0210 01:58:48.885063    4118 helpers.go:216] server response object: [{
  "metadata": {},
  "status": "Failure",
  "message": "You may not request a new project via this API.",
  "reason": "Forbidden",
  "details": {
    "group": "project.openshift.io",
    "kind": "projectrequest"
  },
  "code": 403
}]
F0210 01:58:48.885144    4118 helpers.go:115] Error from server (Forbidden): You may not request a new project via this API.

Actual results:
The user cannot create the project with configured name and "Error from server (Forbidden): You may not request a new project via this API." error occurs

Expected results:
The user can create the project with configured name and no error occurs

Additional info:
Comment 1 Stefan Schimanski 2021-02-12 13:48:43 UTC 
You need also list permissions for projectrequests.
Comment 2 David Eads 2021-02-12 14:59:52 UTC 
One thing you may have overlooked, there is no name on CREATE requests, so an RBAC role trying to give permission to create a particularly name will not be honored.

A second thing, permission to create a project is not the same as the permission to request a project.  Granting project create will allow doing `oc create -f`, but will not allow `oc new-project` since you explicitly disabled self provisioning.
Comment 3 yhe 2021-02-13 03:03:59 UTC 
Hi

Thank you for looking into this issue.

According to your explanation, I understand that I cannot request a project with `oc new-project` command since there is no name on CREATE requests.

However, I tried to create a project with `oc create -f` command, yet still, an error occurs. Would you mind giving me some more details about what permission is necessary to create a project with a particular name?

```
$ oc describe clusterrole test-cluster-role
Name:         test-cluster-role
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources                      Non-Resource URLs  Resource Names   Verbs
  ---------                      -----------------  --------------   -----
  projects                       []                 [reserved-name]  [create]
  projects.project.openshift.io  []                 [reserved-name]  [create]

$ oc adm policy add-cluster-role-to-user test-cluster-role user1
clusterrole.rbac.authorization.k8s.io/test-cluster-role added: "user1"

$ oc login -u user1
Logged into "https://api.test.example.com:6443" as "user1" using existing credentials.

$ cat project.yaml
apiVersion: project.openshift.io/v1
kind: Project
metadata:
  name: reserved-name

$ oc create -f project.yaml
Error from server (Forbidden): error when creating "project.yaml": projects.project.openshift.io is forbidden: User "user1" cannot create resource "projects" in API group "project.openshift.io" at the cluster scope

$ oc login -u kubeadmin
Authentication required for https://api.test.example.com:6443 (openshift)
Username: kubeadmin
Password:
Login successful.

$ oc create -f project.yaml
project.project.openshift.io/reserved-name created

$ oc project reserved-name
Now using project "reserved-name" on server "https://api.test46yhe2.lab.upshift.rdu2.redhat.com:6443".
```

Thank you

Yiyong
Comment 4 David Eads 2021-02-16 21:48:01 UTC 
There is no way to grant creation powers on a particularly named object for any resource in kubernetes.  It is a restriction of the authorizer interface.
Comment 5 HelenBriggs 2022-11-27 20:36:53 UTC Comment hidden (spam)
Comment 6 HelenBriggs 2022-11-27 20:38:38 UTC Comment hidden (spam)