Bug 2264825

This is most likely due to giving user clusterrolebinding to subscription-admin privileges in KCS https://access.redhat.com/articles/7048456. 

Subscriptions:
$ oc create clusterrolebinding {role-binding-name} --clusterrole=open-cluster-management:subscription-admin --user={username}

Need to see if it is possible for user to create subscription with rolebinding for only user created namespaces.

Like this after user creates <user_created_new_namespace>:

oc create rolebinding {role-binding-name} -n <user_created_new_namespace> --clusterrole=open-cluster-management:subscription-admin --user={username}

If not is there any way to limit privileges so that user cannot deleted another user's applications?

For now the hub subscription controller only searches all clusterRoleBinding kind resources to see if the appsub user/group is bound to the open-cluster-management:subscription-admin  clusterRole.  It doesn't check rolebinding kind resources in all namespaces, which could be a expensive behaviour

the non-cluster-admin user still can create a appsub application even though it is not a subscription-admin.  So for non-subscription-admin user, all the app resources are enforced to deploy to the appsub NS
While for subscription-admin user, all app resources can be deployed to other NS defined in the git repo

FYI @rjung @ming 

Feel free to chime in to see if we should support this case - decide if the user is subscription admin by checking clusterrolebinding kind and rolebinding kind resources in all namespaces

Hi Annette,

I gone through the new content in kcs as well as tried procedure.

During execution I feel new process is little complex and time consuming. 
How we are doing it at large scale?

Because I feel that When Customer has number application as appuser,they might fill it very long and tedious process.
Specially for:
1. "RoleBinding for every project project"
2. Creating channel and channel-namespace for every application repo and rolebinding for channel NS.

Please let me know your thoughts.

Yes the new process successful in KCS https://access.redhat.com/articles/7048456.

Version:
OCP: 4.15.0
ODF: 4.15.0-RC
ACM:2.10.0-77

Observations:
1. User 1 not able to see application sof user 2.
2. User can faiover and relocate application.
3. Need correct output shown in step 13 with below output. i.e. ClusterRole/roleuseracm is added.

➜  hub oc get rolebindings.rbac.authorization.k8s.io -n bb-redhat
NAME                       ROLE                               AGE
admin                      ClusterRole/admin                  10m
rolebindinguseracmredhat   ClusterRole/roleuseracm            3m18s
system:deployers           ClusterRole/system:deployer        10m
system:image-builders      ClusterRole/system:image-builder   10m
system:image-pullers       ClusterRole/system:image-puller    10m

@asagare thank you for verifying KCS new instructions. The correction in Observation #3 has been fixed and published in KCS https://access.redhat.com/articles/7048456.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat OpenShift Data Foundation 4.15.0 security, enhancement, & bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2024:1383

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days