Bug 1277819 - The build strategy allows only certain user in a specific project to create build does not work
The build strategy allows only certain user in a specific project to create b...
Status: CLOSED CURRENTRELEASE
Product: OpenShift Origin
Classification: Red Hat
Component: Security (Show other bugs)
3.x
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: David Eads
Xiaoli Tian
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-04 01:55 EST by zhou ying
Modified: 2015-11-23 16:13 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-23 16:13:10 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description zhou ying 2015-11-04 01:55:29 EST
Description of problem:
Create a particular docker build strategy that only allow certain user in a specific project to create build , but the user can create build on all projects with admin role.

Version-Release number of selected component (if applicable):
openshift v1.0.7-109-g3cf7f3c
kubernetes v1.2.0-alpha.1-1107-g4c8e6f4
etcd 2.1.2

How reproducible:
always

Steps to Reproduce:
1. Remove the docker build strategy resource from the default admin and edit roles;
     `oc edit clusterrole admin`
     `oc edit clusterrole edit`
     
2. Create a seperate role for that build strategy:
   cat  dockerstrategy.yaml
kind: ClusterRole
apiVersion: v1
metadata:
  name: dockerbuilder
rules:
- resources:
  - builds/docker
  verbs:
  - create
 $ oc create -f dockerstrategy.yaml
3. Assign the cluster role to an individual user in a project 
   oadm policy add-role-to-user dockerbuilder devuser -n devproject
4. Check the user role.

Actual results:
The user can do docker build on all projects with admin role .

Expected results:
The user should do docker build only in the specific project.

Additional info:
Before add the dockerbuilder role to devuser, the devuser can't do docker build in any project.
Comment 1 Cesar Wong 2015-11-04 09:56:59 EST
I cannot reproduce this in my initial attempt. Will try on the latest ami.
Comment 2 Cesar Wong 2015-11-04 10:26:11 EST
I cannot reproduce this on the latest AWS ami either.

Can you please include the output of:

oc policy who-can create builds/docker -n [project]

before you assign the role to the user and afterwards. Also show it for a project where you did assign the role and one where you didn't.
Comment 3 Cesar Wong 2015-11-04 11:09:42 EST
Please include the output of the commands for every namespace in your cluster (before and after adding the role to the user):

oc get clusterroles -o yaml
oc get clusterrolebindings -o yaml
oc get roles -o yaml
oc get rolebindings -o yaml
Comment 4 zhou ying 2015-11-05 01:28:34 EST
In the latest ami , I also cannot reproduce this too, will close this bug.
Before add role to user:
[root@ip-172-18-3-247 amd64]# oc policy who-can create builds/docker -n zhouy
Namespace: zhouy
Verb:      create
Resource:  builds/docker

Users:  none

Groups: system:cluster-admins
        system:masters

[root@ip-172-18-3-247 amd64]# oc policy who-can create builds/docker -n zhouyt
Namespace: zhouyt
Verb:      create
Resource:  builds/docker

Users:  none

Groups: system:cluster-admins
        system:masters



After add the role:
[root@ip-172-18-3-247 amd64]# oc policy who-can create builds/docker -n zhouyt
Namespace: zhouyt
Verb:      create
Resource:  builds/docker

Users:  devuser
        zhouy

Groups: system:cluster-admins
        system:masters

[root@ip-172-18-3-247 amd64]# oc policy who-can create builds/docker -n zhouy
Namespace: zhouy
Verb:      create
Resource:  builds/docker

Users:  none

Groups: system:cluster-admins
        system:masters
Comment 11 David Eads 2015-11-09 10:04:03 EST
The command `oadm policy add-cluster-role-to-user dockerbuilder devuser -n devproject` grants devuser the power of the dockerbuilder role in the entire cluster, not just the devproject namespace.

If you want to grant him the power only in devproject, try `oadm policy add-role-to-user dockerbuilder devuser -n devproject`
Comment 12 David Eads 2015-11-09 10:05:42 EST
Looks like your initial steps used the proper command:  

`oadm policy add-role-to-user dockerbuilder devuser -n devproject`

I'm returning back so you can confirm the correctness of behavior before closing

Note You need to log in before you can comment on or make changes to this bug.