Bug 1328822 – build strategy Source is not allowed after upgrade

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1328822 - build strategy Source is not allowed after upgrade

Summary:	build strategy Source is not allowed after upgrade

Status:	CLOSED ERRATA

Aliases:	None

Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Upgrade (Show other bugs)
Sub Component:
Version:	3.2.0
Hardware:	Unspecified Unspecified

Priority	high Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Scott Dodson
QA Contact:	Anping Li
Docs Contact:

URL:
Whiteboard:
Keywords:	TestBlocker

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2016-04-20 07:14 EDT by Anping Li
Modified:	2017-04-14 04:42 EDT (History)
CC List:	6 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-05-12 12:36:16 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
upgrade logs for this issue (89.79 KB, application/x-gzip) 2016-04-20 07:14 EDT, Anping Li	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:1064	normal	SHIPPED_LIVE	Important: Red Hat OpenShift Enterprise 3.2 security, bug fix, and enhancement update	2016-05-12 16:19:17 EDT

Groups: None (edit)

Description Anping Li 2016-04-20 07:14:18 EDT

Created attachment 1149038 [details]
upgrade logs for this issue

Description of problem:

Install OSE 3.1 using v3.2 playbooks, and then upgrade it to OSE 3.2. After upgrade, the build failed due to cluster-role-bindings and sccs reconciliation didn't take effect.

Version-Release number of selected component (if applicable):
openshift-ansible-filter-plugins-3.0.80

How reproducible:
always

Steps to Reproduce:
1. install OSE 3.1  using openshift-ansible-filter-plugins-3.0.80
2. As a normal users, create a new project and create cakephp-mysql-example application
3. upgrade to OSE 3.2
4. build applications
   oc start-build cakephp-mysql-example
5. check role reconcile
  oadm policy reconcile-cluster-roles
  oadm policy reconcile-cluster-role-bindings
  oadm policy reconcile-sccs --confirm

Actual results:
4. build failed
#oc start-build cakephp-mysql-example
Error from server: buildconfigs "cakephp-mysql-example" is forbidden: build strategy Source is not allowed

5. policy reconcile for cluster-role-bindings and sccs didn't take effect.
# oadm policy reconcile-cluster-roles
[root@osecontain-master1 ~]# 

#oadm policy reconcile-cluster-role-bindings
# oadm policy reconcile-cluster-role-bindings
apiVersion: v1
items:
- apiVersion: v1
  groupNames:
  - system:authenticated:oauth
  - system:authenticated
 <--skip--->
 <--skip--->
  subjects:
  - kind: SystemGroup
    name: system:authenticated
  userNames: null
kind: List
metadata: {}

# oadm policy reconcile-sccs
apiVersion: v1
items:
- allowHostDirVolumePlugin: false
  allowHostIPC: false
  allowHostNetwork: false
  allowHostPID: false
  allowHostPorts: false
  allowPrivilegedContainer: false
  allowedCapabilities: null
  apiVersion: v1
  defaultAddCapabilities: null
  fsGroup:
    type: RunAsAny
  kind: SecurityContextConstraints

<--skip--->
<--skip--->
  volumes:
  - configMap
  - downwardAPI
  - emptyDir
  - persistentVolumeClaim
  - secret
kind: List
metadata: {}




Expected Result

Expected results:


Additional info:

Comment 1 Brenton Leanhardt 2016-04-21 09:53:53 EDT

We had two of the developers familiar with policy review the commands that were being run and we made one update:

https://github.com/openshift/openshift-ansible/pull/1784

Aside from that it seems one potential problem is that the commands run as part of the test don't match exactly what we're running.  We're setting a lot of --exclude flags on the reconcile-cluster-role-bindings call for example.  It makes me wonder if we should update the test case.

Now, as to why you could run the build after upgrade we should continue to debug that if it's reproduceable.  I wasn't able to reproduce it but I'll try again when I get a chance.

Comment 3 Brenton Leanhardt 2016-04-22 07:53:23 EDT

Jordan, could this be related to https://github.com/openshift/origin/pull/8528 in any way?  The timing of the 3.2.0.18 and that PR are pretty close.

Comment 4 Jordan Liggitt 2016-04-22 09:38:56 EDT

https://github.com/openshift/origin/pull/8528 did the following:
1. removed source build permission from the admin role
2. added a new role containing only source build permission
3. changed the default policy to give the new role to all authenticated users

When ansible automatically reconciles policy on upgrade, it should do the following:
1. update roles with any new permissions
2. update any default role grants (EXCLUDING new grants to all authenticated users)

When ansible does step 1, it runs reconcile-cluster-roles, and doesn't specify --additive-only=true mode:
https://github.com/openshift/openshift-ansible/blob/master/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/upgrade.yml#L151

That means the source build permission was removed from the existing admin role, and the new role wasn't given to all users (since we don't automatically grant new roles to all users on upgrade).

We should update ansible to run the role reconcile in --additive-only=true mode as well.

I also think we should change the command's default to `true`, to avoid removing permissions from existing working policies. If cluster admins want to tighten roles to their default permissions, they can always run the command in --additive-only=false themselves.

Comment 5 Jordan Liggitt 2016-04-22 11:46:43 EDT

Ansible fix in https://github.com/openshift/openshift-ansible/pull/1791

Origin fix in https://github.com/openshift/origin/pull/8603

Either is sufficient to resolve this bz

Comment 6 Scott Dodson 2016-04-22 13:10:29 EDT

https://github.com/openshift/openshift-ansible/pull/1791 has merged

Comment 7 Troy Dawson 2016-04-22 16:34:42 EDT

Should be fixed in openshift-ansible-3.0.84-1.git.0.04b5245.el7

Comment 8 Anping Li 2016-04-24 21:59:41 EDT

We can do build after upgrade with the fixed. so move bug to verified.

Comment 10 errata-xmlrpc 2016-05-12 12:36:16 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2016:1064

Note You need to log in before you can comment on or make changes to this bug.