Bug 1321766 - Docker/custom build is not forbidden in Online env
Summary: Docker/custom build is not forbidden in Online env
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Online
Classification: Red Hat
Component: Website
Version: 3.x
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Dan Mace
QA Contact: Yanping Zhang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-29 06:14 UTC by Wenjing Zheng
Modified: 2016-05-23 15:09 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-23 15:09:58 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Wenjing Zheng 2016-03-29 06:14:33 UTC 
Description of problem:
Still can docker build or custom build in Online env.

Version-Release number of selected component (if applicable):
3.2 Online
openshift v3.2.0.6
kubernetes v1.2.0-36-g4a3f9c5
etcd 2.2.

How reproducible:
always

Steps to Reproduce:
1. Do docker/custom build after log into Online env
2.
3.

Actual results:
Docker/custom build is successful.

Expected results:
Cannot docker/custom build in Online env

Additional info:
Comment 1 Abhishek Gupta 2016-03-30 02:34:21 UTC 
This should not have been a problem assuming the two issues below have been configured correctly. I'll verify the configuration on INT tomorrow.

https://github.com/openshift/online/issues/65
https://github.com/openshift/online/issues/63
Comment 2 Abhishek Gupta 2016-04-01 23:34:58 UTC 
Dan: Can you please take a look?
Comment 3 Dan Mace 2016-04-04 14:43:25 UTC 
I believe the issue is project owners are getting bound to the /admin role rather than /openshift-online:admin: https://github.com/openshift/online/blob/master/config/project-request.json#L116-L136

Will verify a fix and open a PR.
Comment 4 Dan Mace 2016-04-04 15:59:53 UTC 
Fixed by https://github.com/openshift/online/pull/88.
Comment 5 Wenjing Zheng 2016-04-05 09:25:36 UTC 
QE Will verify when the pr is merged into Online env.
Comment 6 Dan Mace 2016-04-05 12:20:24 UTC 
The fix is merged and deployed to INT, feel free to test.
Comment 7 Wenjing Zheng 2016-04-06 10:01:34 UTC 
Have checked on dev-preview-int, still haven't see the fix.
Comment 8 Dan Mace 2016-04-06 13:53:01 UTC 
(In reply to Wenjing Zheng from comment #7)
> Have checked on dev-preview-int, still haven't see the fix.

Can you please give more detail about which user is affected? I forgot to mention when I fixed the bug that existing accounts will still have the incorrect roles and only NEW users will have the corrected roles.

Please make sure to test with a new user, and if the problem persists, let me know which username has the escalated privileges.

Thanks!
Comment 9 Wenjing Zheng 2016-04-07 06:11:46 UTC 
Yes, if using new created account, docker/custom build is forbidden. But how to make the existing accounts to have correct roles?
Comment 10 Dan Mace 2016-04-07 14:06:40 UTC 
(In reply to Wenjing Zheng from comment #9)
> Yes, if using new created account, docker/custom build is forbidden. But how
> to make the existing accounts to have correct roles?

We're not going to update the existing accounts- they'll need deleted and recreated.
Comment 11 Wenjing Zheng 2016-04-08 02:43:40 UTC 
Thanks, Dan!
Per comment #9, verify this bug now.
Comment 12 Aleksandar Kostadinov 2016-04-27 11:00:26 UTC 
why didn't we change the default role permissions instead of creating a new role?
Note You need to log in before you can comment on or make changes to this bug.