Description of problem: Project admin add second user with only 'pull' role, when the second user login, should not show 'docker tag' and 'docker push' message on imagestream page. Version-Release number of selected component (if applicable): openshift3/registry-console:3.3 How reproducible: Always Steps to Reproduce: 1. Login to registry console with user1; 3. Create a new project "test" which allow only specific user or groups to pull images and create some imagestreams; 4. Go to Projects page and select "test" from list; 5. Click "Add Member"; 6. Assign Pull role to user "userpull"; 7. Login to registry console with "userpull"; 8. Go to Images page and select one Image Stream Actual results: 8. Show 'docker tag' and 'docker push' message on Image Stream page; Expected results: 8. Should not show the 'docker tag' and 'docker push' message when user with only 'pull' role. Additional info:
Confirming. Just to make sure that I understand this right, this does not only affect the image stream page (e. g. http://localhost:9090/kubernetes/registry#/images/default/busybox) but also the "Image Registry → Overview" page (http://localhost:9090/kubernetes/registry), it has a very similar info at the bottom. Note to self: The former page is generated by <https://github.com/openshift/registry-image-widgets>, not by cockpit.git)
Created attachment 1246626 [details] cockpit test case for this bug I'm afraid this is tricky to fix. When being logged in as a user which is not admin, but only has registry-view or -editor (i. e. "Pull" vs. "Push" role), then you can't get any kind of information about your own role even. In this example (cockpit openshift test image), "amanda" is a push user: [root@f1 ~]# oc whoami amanda [root@f1 ~]# oc get images User "amanda" cannot list all images in the cluster [root@f1 ~]# oc describe roleBindings -n marmalade User "amanda" cannot list rolebindings in project "marmalade" [root@f1 ~]# oc describe policyBindings :default -n marmalade Error from server: User "amanda" cannot get policybindings in project "marmalade" This also reflects in the fact that https://SERVER:9090/kubernetes/registry#/projects does not show any users/projects, not even the ones from the user. I attach the cockpit test case which reproduces this, to avoid losing it.
I filed bug 1418979 about the underlying permissions issue in OpenShift. Could someone with the right privileges make this bug block on 1418979, please?
Not sure If added correctly
Hi Martin, Seems we should add 1373448 to 'Blocks' fields in bug 1418979 What I did was wrong I think
yapei: Exactly the other way around: This block depends on 1418979, or that bug blocks this one (it doesn't matter on which you set it, I think, the other bug will then get the opposite relation).
Dan gave me the right hint: "oc policy can-i update imagestreamimages" does the trick.
Fix in progress at https://github.com/cockpit-project/cockpit/pull/5985
First part of the fix now landed: https://github.com/cockpit-project/cockpit/commit/d3d9802aeb4 . This covers the necessary API and the Registry Overview page. I'll work on the corresponding fix on the image stream page soon.
Second half of the fix: https://github.com/cockpit-project/cockpit/pull/6351
This was fixed in cockpit-kubernetes 139. I really hope that current OCP releases have a newer version than that?
# oc rsh registry-console-1-htbfm rpm -qa|grep cockpit cockpit-bridge-155-1.el7.x86_64 cockpit-kubernetes-155-1.el7.x86_64 cockpit-ws-155-1.el7.x86_64 cockpit-dashboard-172-2.el7.x86_64 cockpit-system-155-1.el7.noarch Checked on ocp env with above cockpit packages. It's "Log Out" button on page now. The bug has been fixed.
Sorry, the verification is for other bug, pasted in wrong place. pls ignore Comment 15.
# oc rsh registry-console-1-htbfm rpm -qa|grep cockpit cockpit-bridge-155-1.el7.x86_64 cockpit-kubernetes-155-1.el7.x86_64 cockpit-ws-155-1.el7.x86_64 cockpit-dashboard-172-2.el7.x86_64 cockpit-system-155-1.el7.noarch Checked on ocp env with above cockpit packages. There are still 'docker tag' and 'docker push' message on imagestream page when user only have pull role. The bug is not fixed on the cockpit version.
OCP 3.6-3.10 is no longer on full support [1]. Marking un-triaged bugs CLOSED DEFERRED. If you have a customer case with a support exception or have reproduced on 3.11+, please reopen and include those details. When reopening, please set the Version to the appropriate version where reproduced. [1]: https://access.redhat.com/support/policy/updates/openshift