1383240 – [atomic registry]Can't add username with email address format to project

Bug 1383240 - [atomic registry]Can't add username with email address format to project

Summary: [atomic registry]Can't add username with email address format to project

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Management Console
Sub Component:
Version:	3.3.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	3.4.z
Assignee:	Dominik Perpeet
QA Contact:	DeShuai Ma
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-10-10 09:31 UTC by DeShuai Ma
Modified:	2017-03-02 20:58 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-03-02 20:58:34 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:0434	0	normal	SHIPPED_LIVE	OpenShift Container Platform registry-console image bug fix update	2017-03-03 02:08:26 UTC

Description DeShuai Ma 2016-10-10 09:31:06 UTC

Description of problem:
When add member to projects, if the user name is email address format, it can't be added, always tip 'The member name contains invalid characters.'

Version-Release number of selected component (if applicable):
openshift v3.3.1.1
registry-console image id: 57a566a04a79  brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/registry-console

How reproducible:
Always

Steps to Reproduce:
1. Login registry-console
2. Click projects and select your project
3. Click 'Add member'
4. Input user with email address format

Actual results:
4. Tip 'The member name contains invalid characters.'

Expected results:
4. Add user successfully

Additional info:
[root@host-8-175-118 dma]# oc get users
NAME                  UID                                    FULL NAME             IDENTITIES
dma        6cdfd35b-8ebf-11e6-af1d-fa163ef84c30   dma        LDAP_auth:uid=dma,ou=People,dc=my-domain,dc=com

Comment 2 Martin Pitt 2017-01-19 16:37:23 UTC

Please forgive my ignorance, I'm new to all this. Are user names in the form of an email address even valid in OpenShift? I am looking at

  https://docs.openshift.com/container-platform/3.4/architecture/core_concepts/projects_and_users.html

and there is no indication about email-style user names? Is there some documentation/specification that suggests that it is? Thanks!

Comment 3 Yadan Pei 2017-01-20 08:48:39 UTC

Hi Martin,

For OpenShift, we have multiple authentication methods(https://docs.openshift.com/container-platform/3.4/install_config/configuring_authentication.html#install-config-configuring-authentication), if we could add email-style user name successfully for one authentication method then we should take user name in the form of email address as valid for OpenShift.

Does this answer your question?

Comment 4 DeShuai Ma 2017-01-20 08:57:02 UTC

User names in the form of email address is valid in openshift.
On master get users, we can see:
[root@openshift-105 ~]# oc get users|grep test
test1     5aa46fbc-deed-11e6-87db-fa163ea061ca               allow_all:test1
test      292c7804-deed-11e6-87db-fa163ea061ca               allow_all:test

But in registry-console can't add email format user to project.

Comment 5 Martin Pitt 2017-01-23 10:22:57 UTC

Apparently OpenShift itself does not make any restrictions wrt. member names. Email format works fine:

[root@f1 ~]# oc patch --namespace=marmalade policybinding ':default' -p '{"roleBindings":[{"name":"edit","roleBinding":{"metadata":{"name":"edit","namespace":"marmalade"},"userNames":["foo"],"groupNames":null,"subjects":[{"kind":"User","name":"foo"},{"kind":"User","name":"foo"}],"roleRef":{"name":"edit"}}}]}'

[root@f1 ~]# oc get rolebindings
NAME      ROLE      USERS             GROUPS    SERVICE ACCOUNTS   SUBJECTS
edit      /edit     foo                                


But even a completely ridiculous one works:

# oc patch --namespace=marmalade policybinding ':default' -p '{"roleBindings":[{"name":"edit","roleBinding":{"metadata":{"name":"edit","namespace":"marmalade"},"userNames":["foo ^ bar"],"groupNames":null,"subjects":[{"kind":"User","name":"foo ^ bar"},{"kind":"User","name":"foo ^ bar"}],"roleRef":{"name":"edit"}}}]}'

[root@f1 ~]# oc get rolebindings
NAME      ROLE      USERS       GROUPS    SERVICE ACCOUNTS   SUBJECTS
edit      /edit     foo ^ bar

So it seems fine to me to make this more liberal in the registry.

Comment 6 Martin Pitt 2017-01-23 14:16:49 UTC

kubernetes also supports/suggests email-style user names: https://kubernetes.io/docs/admin/authentication/

Comment 7 Martin Pitt 2017-01-23 14:58:47 UTC

Fix proposed in https://github.com/cockpit-project/cockpit/pull/5785

Comment 8 Dominik Perpeet 2017-01-25 12:00:00 UTC

Merged upstream, will be part of Cockpit 130

Comment 9 Dominik Perpeet 2017-01-25 12:01:26 UTC

upstream commit with fix: https://github.com/cockpit-project/cockpit/commit/ba6896c3c1c9eeba32d9b146f3e9475fd7071f3d

Comment 10 Troy Dawson 2017-02-27 21:35:07 UTC

This is fixed in 3.4 with image
  openshift3/registry-console:3.4-4

Those images should be in the usual testing areas for testing.

Comment 12 DeShuai Ma 2017-02-28 09:43:01 UTC

Verify on openshift3/registry-console:3.4-4, now can add member with email address format.

Comment 14 errata-xmlrpc 2017-03-02 20:58:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0434

Note You need to log in before you can comment on or make changes to this bug.