Bug 1336345 - Build strategy Docker and custom should not be allowed in dev-preview-stg
Summary: Build strategy Docker and custom should not be allowed in dev-preview-stg
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Online
Classification: Red Hat
Component: Build
Version: 3.x
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Dan Mace
QA Contact: Wenjing Zheng
URL:
Whiteboard:
Depends On:
Blocks: OSOPS_V3
TreeView+ depends on / blocked
 
Reported: 2016-05-16 08:44 UTC by mdong
Modified: 2016-06-23 17:32 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-06-23 17:32:44 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description mdong 2016-05-16 08:44:39 UTC
Description of problem:
When generate a build using build strategy with Docker, it should be failed due to build strategy Docker is not allowed.


Version-Release number of selected component (if applicable):
dev-preview-stg
openshift v3.2.0.44
kubernetes v1.2.0-36-g4a3f9c5
etcd 2.2.5

How reproducible:


Steps to Reproduce:
1. Create a project named: test
2. Run the command to generated build:
oc new-build centos/ruby-22-centos7~https://github.com/openshift/ruby-hello-world.git --name=docker-bc --strategy=docker
3.

Actual results:
Build completed.

Expected results:
error: buildconfigs "docker-bc" is forbidden: build strategy Docker is not allowed


Additional info:
Custom build can be created successfully in dev-preview-stg, but it should not be allowed.  
The same behavior is for new user and existed user.

Comment 1 Ben Parees 2016-05-16 14:16:56 UTC
I assume this is an auth/role configuration issue in dev-preview-stg.

Comment 2 Abhishek Gupta 2016-05-16 23:53:06 UTC
The custom roles that we have in Online seem to be configured correctly. Also, the project template seems to correctly link to the customer project admin role (openshift-online:admin). However, I believe the issue is that the "system:authenticated" group seems to have access to do a docker build. I am not sure if this is a recent change. If this is indeed the issue (need to run it past David/Jordan), then we just need to remove build access for docker and custom strategies from the system:authenticated group.

----------------
This is from Dev Preview STG.

$ oc policy who-can create builds/docker
Users:  system:serviceaccount:openshift-infra:build-controller

Groups: system:authenticated
        system:cluster-admins
        system:masters


$ oc policy who-can create builds/custom
Users:  system:serviceaccount:openshift-infra:build-controller

Groups: system:authenticated
        system:cluster-admins
        system:masters

Comment 3 Abhishek Gupta 2016-05-17 00:01:22 UTC
David: Can you please take a quick look at the bug and see if my comment above does actually highlight the problem. If not, any pointers on what to consider would be helpful.

Comment 4 David Eads 2016-05-17 15:13:17 UTC
Roles were recently added to change the way that permission was assigned.  Try removing system:authenticated from system:build-strategy-docker and system:build-strategy-custom.

Comment 5 Dan Mace 2016-05-17 18:37:16 UTC
Will be resolved with https://github.com/openshift/online/issues/144

Comment 6 mdong 2016-05-18 02:24:52 UTC
Verified against dev-preview-stg


Note You need to log in before you can comment on or make changes to this bug.