Hide Forgot
Description of problem: A member as 'view' role has the access to deploy an application Version-Release number of selected component (if applicable): On devenv_3897 How reproducible: Always Steps to Reproduce: 1. Create an application rhc create-app php1 php-5.3 2. Disable auto deployment via rest api curl -s -k -H 'Content-Type: Application/json' --user jhou:x https://ec2-54-237-111-30.compute-1.amazonaws.com/broker/rest/domain/jhou/application/php1 -X PUT -d '{"auto_deploy": false}' 3. Add a member as 'view' role to the domain rhc member add jhou1 -r view 4. Deploy the application with the added member rhc deploy-app php1 --ref $commit_id Actual results: After step 4, the app is deployed 0 master % rhc member-list -n jhou Login Role --------------- ------------- jhou admin (owner) jhou1 view 0 master % rhc app-deploy --ref 430e0d1 -a php1 -l jhou1 Deployment of '430e0d1' in progress for application php1 ... Stopping PHP cartridge [Tue Oct 15 08:24:45 2013] [warn] PassEnv variable SHELL was undefined [Tue Oct 15 08:24:45 2013] [warn] PassEnv variable USER was undefined [Tue Oct 15 08:24:45 2013] [warn] PassEnv variable LOGNAME was undefined Waiting for stop to finish Building git ref '430e0d1', commit 430e0d1 Building PHP cartridge Preparing build for deployment Prepared deployment artifacts in /var/lib/openshift/525d32ef921de51d1f00016f/app-deployments/2013-10-15_08-24-46.472 Deployment id is f2daaf0c Activating deployment Starting PHP cartridge Success Expected results: Since the member has view role, he can not have access to deploy the application. Additional info:
The authorization code seems to be in place on the broker controllers. Can someone from the UI team please tell me if the "rhc app-deploy ..." command goes through the rest api or directly to the gear?
SSH access already respects membership rules so it is already not allowed unless the user has the 'edit' role. I'm guessing you are able to deploy because both users may be using the same ssh key. Please make sure the users are each using their own ssh key and reopen the bug if can still be reproduced.
(In reply to Fabiano Franz from comment #2) > SSH access already respects membership rules so it is already not allowed > unless the user has the 'edit' role. I'm guessing you are able to deploy > because both users may be using the same ssh key. Please make sure the users > are each using their own ssh key and reopen the bug if can still be > reproduced. Retested, and actually, I do not have any ssh keys associated with the 'view' only member. But eventually I was able to deploy the app with this member. The test env was devenv_3925 % rhc member list -n jhou Login Role --------------- ------------- jhou admin (owner) jhou1 view % rhc sshkey list -l jhou1 You have 0 SSH keys associated with your account. % rhc deploy-app -a php1 --ref 400c3b9fd127f59cf94757cec1987326f81f706a -l jhou1 Please sign in to start a new session to ec2-184-73-108-226.compute-1.amazonaws.com. Password: Deployment of '400c3b9fd127f59cf94757cec1987326f81f706a' in progress for application php1 ... Stopping PHP cartridge [Mon Oct 21 21:52:56 2013] [warn] PassEnv variable SHELL was undefined [Mon Oct 21 21:52:56 2013] [warn] PassEnv variable USER was undefined [Mon Oct 21 21:52:56 2013] [warn] PassEnv variable LOGNAME was undefined Waiting for stop to finish Building git ref '400c3b9fd127f59cf94757cec1987326f81f706a', commit 400c3b9 Building PHP cartridge Preparing build for deployment Prepared deployment artifacts in /var/lib/openshift/5265d9abf010931397000006/app-deployments/2013-10-21_21-52-57.934 Deployment id is f2ad21ee Activating deployment Starting PHP cartridge Success
If you have the admin ssh keys available, the ssh session that "rhc deploy" triggers will make use of them. Can you run "rhc sshkey list -l jhou" and see if it says any of the admin's ssh keys are available.
Thanks for the info, you are right, the admin's ssh key is available, and I was testing under a same machine with 2 different accounts -- admin and member. After switching to another machine, I was unable to deploy the application with the 'view' member, the result is: % rhc app-deploy -a p1 --ref c46ec42ae0e0bd924404989c368506daf64588ed -l jhou1 -px --server ec2-54-221-130-189.compute-1.amazonaws.com 1 ↵ Deployment of git ref 'c46ec42ae0e0bd924404989c368506daf64588ed' in progress for application p1 ... Error trying to deploy git ref. You can ssh to your application and try to deploy manually with: gear deploy c46ec42ae0e0bd924404989c368506daf64588ed /usr/local/rvm/gems/ruby-1.9.3-p392/gems/net-ssh-2.6.7/lib/net/ssh.rb:207:in `start': 52675627d026b771d4000004 (Net::SSH::AuthenticationFailed) from /usr/local/rvm/gems/ruby-1.9.3-p392/gems/rhc-1.16.1/lib/rhc/ssh_helpers.rb:171:in `ssh_ruby' from /usr/local/rvm/gems/ruby-1.9.3-p392/gems/rhc-1.16.1/lib/rhc/deployment_helpers.rb:28:in `deploy_git_ref' from /usr/local/rvm/gems/ruby-1.9.3-p392/gems/rhc-1.16.1/lib/rhc/deployment_helpers.rb:18:in `deploy_artifact' from /usr/local/rvm/gems/ruby-1.9.3-p392/gems/rhc-1.16.1/lib/rhc/commands/app.rb:385:in `deploy' from /usr/local/rvm/gems/ruby-1.9.3-p392/gems/rhc-1.16.1/lib/rhc/commands.rb:285:in `send' from /usr/local/rvm/gems/ruby-1.9.3-p392/gems/rhc-1.16.1/lib/rhc/commands.rb:285:in `execute' from /usr/local/rvm/gems/ruby-1.9.3-p392/gems/rhc-1.16.1/lib/rhc/commands.rb:276:in `to_commander' from /usr/local/rvm/gems/ruby-1.9.3-p392/gems/commander-4.1.3/lib/commander/command.rb:180:in `call' from /usr/local/rvm/gems/ruby-1.9.3-p392/gems/commander-4.1.3/lib/commander/command.rb:180:in `call' from /usr/local/rvm/gems/ruby-1.9.3-p392/gems/commander-4.1.3/lib/commander/command.rb:155:in `run' from /usr/local/rvm/gems/ruby-1.9.3-p392/gems/commander-4.1.3/lib/commander/runner.rb:402:in `run_active_command' from /usr/local/rvm/gems/ruby-1.9.3-p392/gems/rhc-1.16.1/lib/rhc/command_runner.rb:73:in `run!' from /usr/local/rvm/gems/ruby-1.9.3-p392/gems/commander-4.1.3/lib/commander/delegates.rb:7:in `run!' from /usr/local/rvm/gems/ruby-1.9.3-p392/gems/rhc-1.16.1/lib/rhc/cli.rb:37:in `start' from /usr/local/rvm/gems/ruby-1.9.3-p392/gems/rhc-1.16.1/bin/rhc:20 from /usr/bin/rhc:19:in `load' from /usr/bin/rhc:19
Fixed in https://github.com/openshift/rhc/pull/490
Commit pushed to master at https://github.com/openshift/rhc https://github.com/openshift/rhc/commit/c566294a3027a93519f0666ab28a2f745e61d546 Bug 1019294 - ssh_helpers now handle authentication failures
This is fixed on devenv_3939 When trying to deploy with a 'view' role and without the admin ssh key, reasonable message is displayed instead of previous stack trace [root@ip-10-238-133-152 ~]# rhc deploy-app -a php1 --ref 134bae4b99f3e202f32858b5ab7395e485b04d59 -l jhou1 -px Deployment of git ref '134bae4b99f3e202f32858b5ab7395e485b04d59' in progress for application php1 ... Error deploying git ref. You can try to deploy manually with: ssh -t 5268d544c60bcee36a000014.rhcloud.com 'gear deploy 134bae4b99f3e202f32858b5ab7395e485b04d59' Authentication to server php1-jhou.dev.rhcloud.com with user 5268d544c60bcee36a000014 failed