Bug 1196022 - [origin_platformexp_279] Project admin user can not list resources from the new project
Summary: [origin_platformexp_279] Project admin user can not list resources from the n...
Alias: None
Product: OKD
Classification: Red Hat
Component: Containers
Version: 3.x
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: David Eads
QA Contact: libra bugs
Depends On:
TreeView+ depends on / blocked
Reported: 2015-02-25 06:13 UTC by weiwei jiang
Modified: 2016-10-30 22:54 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-04-21 17:59:59 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description weiwei jiang 2015-02-25 06:13:40 UTC
Description of problem:
Project admin user can not list services|pods|... from the project

since https://trello.com/c/lIazl3fA/314-3-propose-namespace-as-kind-upstream-deprecate-project-in-origin-manage-beta2 is merged, and the following resourcegroup should have already been out of date.

# osc describe --namespace=master policy default                                                                                            
Name:                   default
Created:                2015-02-25 10:08:54 +0800 CST
Labels:                 <none>
Last Modified:          2015-02-25 10:08:54 +0800 CST
admin                   Verbs                                   Resources                                                                               Extension
                        [create delete get list update watch]   [resourcegroup:exposedkube resourcegroup:exposedopenshift resourcegroup:granter]
                        [get list watch]                        [resourcegroup:allkube resourcegroup:policy]
basic-user              Verbs                                   Resources                                                                               Extension
                        [get]                                   [users]
                        [list]                                  [projects]
cluster-admin           Verbs                                   Resources                                                                               Extension
                        [*]                                     [*]
                        [*]                                     []
cluster-status          Verbs                                   Resources                                                                               Extension
                        [get]                                   []
edit                    Verbs                                   Resources                                                                               Extension
                        [create delete get list update watch]   [resourcegroup:exposedkube resourcegroup:exposedopenshift]
                        [get list watch]                        [resourcegroup:allkube]
system:component        Verbs                                   Resources                                                                               Extension
                        [*]                                     [*]
system:delete-tokens    Verbs                                   Resources                                                                               Extension
                        [delete]                                [oauthaccesstoken oauthauthorizetoken]
system:deployer         Verbs                                   Resources                                                                               Extension
                        [*]                                     [*]
view                    Verbs                                   Resources                                                                               Extension
                        [get list watch]                        [resourcegroup:allkube resourcegroup:exposedopenshift]

Version-Release number of selected component (if applicable):
openshift v0.3.2-39-g3b05d7d
kubernetes v0.10.0-503-gc977a45

How reproducible:

Steps to Reproduce:
1. clear the insecurity roleBindings
openshift ex policy remove-group --namespace=master cluster-admin system:authenticated system:unauthenticated
2. create a project with admin is "anypassword:admin"
# openshift ex new-project project4 --admin=anypassword:admin
3. login with anypassword:admin
openshift ex login -u admin -p redhat
4. try to get pods|services with the logined user for the project.

Actual results:
# osc get pods --namespace=project0
F0225 13:26:25.481135   16164 get.go:164] request [&{Method:GET URL: Proto:HTTP/1.1 ProtoMajor:1 ProtoMinor:1 Header:map[] Body:<nil> ContentLength:0 TransferEncoding:[] Close:false Host: Form:map[] PostForm:map[] MultipartForm:<nil> Trailer:map[] RemoteAddr: RequestURI: TLS:<nil>}] failed (403) 403 Forbidden: Forbidden: "/api/v1beta1/pods?namespace=project0" denied by default

Expected results:
should have no error message.

Additional info:
# osc describe --namespace=project0 policyBindings master  
Name:                   master
Created:                2015-02-25 10:24:56 +0800 CST
Labels:                 <none>
Last Modified:          2015-02-25 10:24:56 +0800 CST
Policy:                 master
                        Role:   admin
                        Users:  [anypassword:admin]
                        Groups: []

Comment 1 David Eads 2015-02-25 13:18:02 UTC
Confirmed bug.  I'm holding the fix until I get an integration test in that makes sure this doesn't happen again.

Comment 2 David Eads 2015-02-25 13:59:05 UTC
Pull request https://github.com/openshift/origin/pull/1140, but at this point the integration test debt is bad enough to avoid committing until at least some of it has been addressed.

Comment 3 David Eads 2015-02-26 20:27:50 UTC
merged with integration tests.

Comment 4 weiwei jiang 2015-02-27 02:48:36 UTC
Checked with 
# openshift version 
openshift v0.3.2-107-gc516f4c
kubernetes v0.10.0-503-gc977a45
and this issue has been fixed.

Note You need to log in before you can comment on or make changes to this bug.