Bug 1258390 - Project admin can't run 'oc attach POD' successfully
Summary: Project admin can't run 'oc attach POD' successfully
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OKD
Classification: Red Hat
Component: Security
Version: 3.x
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Jordan Liggitt
QA Contact: Xiaoli Tian
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-08-31 09:30 UTC by Yadan Pei
Modified: 2015-11-23 21:18 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-11-23 21:18:47 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Yadan Pei 2015-08-31 09:30:11 UTC
Description of problem:
When attaching to a running pod with project admin, there is error information,but cluster-admin could attach to the pod under this project successfully.

Version-Release number of selected component (if applicable):
oc v1.0.5-89-gc9008aa
kubernetes v1.1.0-alpha.0-1605-g44c91b1


How reproducible:
Always

Steps to Reproduce:
1.Create a new project with user 'yapei'
$ oc new-project test3
Now using project "test3" on server "https://localhost:8443".
2. Create some resources using templates
$ oc process -f https://raw.githubusercontent.com/openshift/origin/master/examples/sample-app/application-template-stibuild.json | oc create -f -
service "frontend" created
route "route-edge" created
imagestream "origin-ruby-sample" created
imagestream "ruby-20-centos7" created
buildconfig "ruby-sample-build" created
deploymentconfig "frontend" created
service "database" created
deploymentconfig "database" created
3. Check pod status
$ oc get pods
NAME                        READY     STATUS       RESTARTS   AGE
database-1-qvxyn            1/1       Running      0          16m
frontend-1-36swm            1/1       Running      0          14m
frontend-1-ws7hv            1/1       Running      0          14m
ruby-sample-build-1-build   0/1       ExitCode:0   0          17m
4. Check the user
$ oc whoami
yapei
5. Run 'oc attach' command with user 'yapei'
$ oc attach database-1-qvxyn
6. Logged out as 'yapei' and run 'oc attach' with cluster-admin
$ oc logout
Logged "yapei" out on "https://localhost:8443"
$ oc attach database-1-qvxyn -n test3 --config=openshift.local.config/master/admin.kubeconfig
Running mysql_install_db ...
Installing MySQL system tables...
OK
Filling help tables...
OK

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:

scl enable mysql55 -- /opt/rh/mysql55/root/usr/bin/mysqladmin -u root password 'new-password'
scl enable mysql55 -- /opt/rh/mysql55/root/usr/bin/mysqladmin -u root -h database-1-qvxyn password 'new-password'

Alternatively you can run:
scl enable mysql55 -- /opt/rh/mysql55/root/usr/bin/mysql_secure_installation

which will also give you the option of removing the test
databases and anonymous user created by default.  This is
strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:
systemctl start mysql55-mysqld

You can test the MySQL daemon with mysql-test-run.pl
after installing mysql55-mysql-test package.
See /opt/rh/mysql55/root/usr/share/mysql-test/README for instructions.

Please report any problems at http://bugs.mysql.com/

Starting local mysqld server ...
Waiting for MySQL to start ...
150831  7:29:02 [Warning] One can only use the --user switch if running as root

150831  7:29:02 [Note] Plugin 'FEDERATED' is disabled.
150831  7:29:02 InnoDB: The InnoDB memory heap is disabled
150831  7:29:02 InnoDB: Mutexes and rw_locks use GCC atomic builtins
150831  7:29:02 InnoDB: Compressed tables use zlib 1.2.7
150831  7:29:02 InnoDB: Using Linux native AIO
........
7. For other 'oc attach' command which carry more parameters, same error information displayed for cluster-admin and normal project admin. This issue had been reported in BUG -1257889,it's about taking wrong paramter
$ oc attach database-1-qvxyn date -n test3 --config=openshift.local.config/master/admin.kubeconfig
error: expected a single argument: POD, saw 2: [database-1-qvxyn date]
see 'oc attach -h' for help.
$ oc attach database-1-qvxyn date
error: expected a single argument: POD, saw 2: [database-1-qvxyn date]
see 'oc attach -h' for help.

Actual results:
step5:
Error from server: User "yapei" cannot create pods/attach in project "test3"

Expected results:
step5:
Should run 'oc attach' successfully since yapei is already the admin of project test3. at the same time, should give proper message about failure.

Additional info:
When --attach option is carried in 'oc run', there is error info indicating "not implemented"
$ oc run nginx --image=nginx --attach=true. 
error: cannot attach to DeploymentConfig: not implemented

Comment 1 Jordan Liggitt 2015-09-08 14:53:03 UTC
Need to add "pods/attach" to policy.
Might need to protect pods/attach the same way we protect pods/exec
Need to update long running regular expression to include attach

Comment 2 Jordan Liggitt 2015-09-09 04:05:06 UTC
Also need changes from https://github.com/kubernetes/kubernetes/pull/13705

Comment 3 Jordan Liggitt 2015-09-09 13:41:23 UTC
Project admin permission fixed in https://github.com/openshift/origin/pull/4587

Comment 4 Jordan Liggitt 2015-09-09 15:28:16 UTC
Moving to ON_QA, spawned https://bugzilla.redhat.com/show_bug.cgi?id=1261548 for the `oc run --attach` bug

Comment 5 Yadan Pei 2015-09-10 08:02:50 UTC
Verified on devenv-fedora_2314, project admin & edit role could run oc attach successfully now.


Note You need to log in before you can comment on or make changes to this bug.