Description of problem: When generate a build using build strategy with Docker, it should be failed due to build strategy Docker is not allowed. Version-Release number of selected component (if applicable): dev-preview-stg openshift v3.2.0.44 kubernetes v1.2.0-36-g4a3f9c5 etcd 2.2.5 How reproducible: Steps to Reproduce: 1. Create a project named: test 2. Run the command to generated build: oc new-build centos/ruby-22-centos7~https://github.com/openshift/ruby-hello-world.git --name=docker-bc --strategy=docker 3. Actual results: Build completed. Expected results: error: buildconfigs "docker-bc" is forbidden: build strategy Docker is not allowed Additional info: Custom build can be created successfully in dev-preview-stg, but it should not be allowed. The same behavior is for new user and existed user.
I assume this is an auth/role configuration issue in dev-preview-stg.
The custom roles that we have in Online seem to be configured correctly. Also, the project template seems to correctly link to the customer project admin role (openshift-online:admin). However, I believe the issue is that the "system:authenticated" group seems to have access to do a docker build. I am not sure if this is a recent change. If this is indeed the issue (need to run it past David/Jordan), then we just need to remove build access for docker and custom strategies from the system:authenticated group. ---------------- This is from Dev Preview STG. $ oc policy who-can create builds/docker Users: system:serviceaccount:openshift-infra:build-controller Groups: system:authenticated system:cluster-admins system:masters $ oc policy who-can create builds/custom Users: system:serviceaccount:openshift-infra:build-controller Groups: system:authenticated system:cluster-admins system:masters
David: Can you please take a quick look at the bug and see if my comment above does actually highlight the problem. If not, any pointers on what to consider would be helpful.
Roles were recently added to change the way that permission was assigned. Try removing system:authenticated from system:build-strategy-docker and system:build-strategy-custom.
Will be resolved with https://github.com/openshift/online/issues/144
Verified against dev-preview-stg