Hide Forgot
Created attachment 1212647 [details] Failed to list appliedclusterresourcequotas/v1 (403) Description of problem: Since the upgrade of online developer preview to 3.3, the limit range value have not been showing in the quota page. In trying to show them the browser gives a pop up giving error: Failed to list appliedclusterresourcequotas/v1 (403) Version-Release number of selected component (if applicable): $ oc whoami -c python-demos/api-preview-openshift-com:443/GrahamDumpleton $ oc version oc v1.3.0 kubernetes v1.3.0+52492b4 features: Basic-Auth Server https://api.preview.openshift.com:443 openshift v3.3.1.3 kubernetes v1.3.0+52492b4 How reproducible: Always occurs. Steps to Reproduce: Go to quotas page. May though be restricted to specific accounts. This account was created very early and so may not have applied certain objects if later on was changed to create clusterresourcequotas for users. Actual results: Fails to show limit ranges. Expected results: Should show limit ranges and not show error. Additional info: Seen screen shot attached.
There are actually two things going on here: 1) applied cluster resource quota should not be returning a 403, we need more details on the error message you are getting back on the request 2) the limit ranges are being intentionally hidden by custom CSS in online, this was a decision by the Online folks, I believe Jake did this. However in 3.3 the Limit Range header is no longer getting hidden by that custom CSS.
It doesn't look like we're going to be able to hide the heading using CSS in OpenShift 3.3.
Agreed with jake that the console needs to provide a wrapper around this section with a unique enough class name that it can be easily hidden.
Content of error response returned to browser is: {kind: "Status", apiVersion: "v1", metadata: {}, status: "Failure",…} apiVersion : "v1" code : 403 details : {kind: "appliedclusterresourcequotas"} kind : "appliedclusterresourcequotas" kind : "Status" message : "User "GrahamDumpleton" cannot list appliedclusterresourcequotas in project "python-demos"" metadata : {} reason : "Forbidden" status : "Failure" Same if use oc command line. Remember this is a very old account and so if roles have been getting modified as went along, they may not have be applied back onto old accounts. $ oc get appliedclusterresourcequotas User "GrahamDumpleton" cannot list appliedclusterresourcequotas in project "python-demos" grumpy-old-man:s2i-minimal-notebook graham$ oc get appliedclusterresourcequotas --loglevel 9 I1026 09:30:14.118078 40192 loader.go:330] Config loaded from file /Users/graham/.kube/config I1026 09:30:14.120125 40192 round_trippers.go:299] curl -k -v -XGET -H "User-Agent: oc/v1.3.1 (darwin/amd64) openshift/dad658d" -H "Authorization: Bearer ..." -H "Accept: application/json, */*" https://api.preview.openshift.com:443/oapi I1026 09:30:15.270052 40192 round_trippers.go:318] GET https://api.preview.openshift.com:443/oapi 200 OK in 1149 milliseconds I1026 09:30:15.270106 40192 round_trippers.go:324] Response Headers: I1026 09:30:15.270118 40192 round_trippers.go:327] Content-Length: 93 I1026 09:30:15.270129 40192 round_trippers.go:327] Cache-Control: no-store I1026 09:30:15.270138 40192 round_trippers.go:327] Content-Type: application/json I1026 09:30:15.270147 40192 round_trippers.go:327] Date: Tue, 25 Oct 2016 22:30:15 GMT I1026 09:30:15.270238 40192 request.go:901] Response Body: {"kind":"APIVersions","apiVersion":"v1","versions":["v1"],"serverAddressByClientCIDRs":null} I1026 09:30:15.270762 40192 round_trippers.go:299] curl -k -v -XGET -H "Accept: application/json, */*" -H "User-Agent: oc/v1.3.1 (darwin/amd64) openshift/dad658d" -H "Authorization: Bearer ..." https://api.preview.openshift.com:443/version I1026 09:30:15.575077 40192 round_trippers.go:318] GET https://api.preview.openshift.com:443/version 200 OK in 304 milliseconds I1026 09:30:15.575168 40192 round_trippers.go:324] Response Headers: I1026 09:30:15.575202 40192 round_trippers.go:327] Cache-Control: no-store I1026 09:30:15.575233 40192 round_trippers.go:327] Content-Type: application/json I1026 09:30:15.575263 40192 round_trippers.go:327] Date: Tue, 25 Oct 2016 22:30:15 GMT I1026 09:30:15.575294 40192 round_trippers.go:327] Content-Length: 235 I1026 09:30:15.575488 40192 request.go:901] Response Body: { "major": "1", "minor": "3", "gitVersion": "v1.3.0+52492b4", "gitCommit": "52492b4", "gitTreeState": "clean", "buildDate": "2016-10-18T12:31:49Z", "goVersion": "go1.6.3", "compiler": "gc", "platform": "linux/amd64" } I1026 09:30:15.582845 40192 cached_discovery.go:80] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/servergroups.json I1026 09:30:15.583145 40192 cached_discovery.go:38] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/apps/v1alpha1/serverresources.json I1026 09:30:15.583395 40192 cached_discovery.go:38] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/authentication.k8s.io/v1beta1/serverresources.json I1026 09:30:15.583532 40192 cached_discovery.go:38] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/autoscaling/v1/serverresources.json I1026 09:30:15.583612 40192 cached_discovery.go:38] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/batch/v1/serverresources.json I1026 09:30:15.583695 40192 cached_discovery.go:38] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/batch/v2alpha1/serverresources.json I1026 09:30:15.583842 40192 cached_discovery.go:38] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/extensions/v1beta1/serverresources.json I1026 09:30:15.584187 40192 cached_discovery.go:38] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/v1/serverresources.json I1026 09:30:15.584544 40192 cached_discovery.go:80] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/servergroups.json I1026 09:30:15.584755 40192 cached_discovery.go:38] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/apps/v1alpha1/serverresources.json I1026 09:30:15.584990 40192 cached_discovery.go:38] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/authentication.k8s.io/v1beta1/serverresources.json I1026 09:30:15.585115 40192 cached_discovery.go:38] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/autoscaling/v1/serverresources.json I1026 09:30:15.585200 40192 cached_discovery.go:38] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/batch/v1/serverresources.json I1026 09:30:15.585327 40192 cached_discovery.go:38] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/batch/v2alpha1/serverresources.json I1026 09:30:15.585619 40192 cached_discovery.go:38] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/extensions/v1beta1/serverresources.json I1026 09:30:15.586162 40192 cached_discovery.go:38] returning cached discovery info from /Users/graham/.kube/api.preview.openshift.com_443/v1/serverresources.json I1026 09:30:15.587399 40192 round_trippers.go:299] curl -k -v -XGET -H "Accept: application/json, */*" -H "User-Agent: oc/v1.3.1 (darwin/amd64) openshift/dad658d" -H "Authorization: Bearer ..." https://api.preview.openshift.com:443/oapi/v1/namespaces/python-demos/appliedclusterresourcequotas I1026 09:30:15.832826 40192 round_trippers.go:318] GET https://api.preview.openshift.com:443/oapi/v1/namespaces/python-demos/appliedclusterresourcequotas 403 Forbidden in 245 milliseconds I1026 09:30:15.832858 40192 round_trippers.go:324] Response Headers: I1026 09:30:15.832865 40192 round_trippers.go:327] Date: Tue, 25 Oct 2016 22:30:15 GMT I1026 09:30:15.832871 40192 round_trippers.go:327] Content-Length: 299 I1026 09:30:15.832876 40192 round_trippers.go:327] Cache-Control: no-store I1026 09:30:15.832882 40192 round_trippers.go:327] Content-Type: application/json I1026 09:30:15.832965 40192 request.go:901] Response Body: { "kind": "Status", "apiVersion": "v1", "metadata": {}, "status": "Failure", "message": "User \"GrahamDumpleton\" cannot list appliedclusterresourcequotas in project \"python-demos\"", "reason": "Forbidden", "details": { "kind": "appliedclusterresourcequotas" }, "code": 403 } F1026 09:30:15.833772 40192 helpers.go:110] User "GrahamDumpleton" cannot list appliedclusterresourcequotas in project "python-demos"
@deads take a look at the previous comment
@twiest I'm trying to get access to the https://api.preview.openshift.com again (I checked the hack day system before :( ). That forbidden error suggest that either the server isn't at 3.3 or that reconcile roles hasn't been run yet. Are you expecting that to be the case? Jessica or Graham, can you provide output for `oc version` and `oc get clusterroles`? You ought to have rights for both.
I have a new account and I'm not seeing the 403 issue. So I think Graham is correct that its something to do with his account that existed before the upgrade. Looking at the about page in the console there is no question this is on 3.3 API at this point. Version OpenShift Master: v3.3.1.3 Kubernetes Master: v1.3.0+52492b4 Graham, can you try the two commands david asked for since this seems specific to your account?
@deads: I believe it's been on 3.3 for some time now. # openshift version openshift v3.3.1.3 kubernetes v1.3.0+52492b4 etcd 2.3.0+git
The CSS fix to help with hiding the Limit Ranges header in Online is in for 1.4/3.4, assigning this bug to the Auth component to figure out what is actually going on with Graham's account.
Output from oc version as given in original report is: oc v1.3.1 kubernetes v1.3.0+52492b4 features: Basic-Auth Server https://api.preview.openshift.com:443 openshift v3.3.1.3 Output of oc get clusterroles is: NAME self-access-reviewer system:replicaset-controller system:pv-recycler-controller system:daemonset-controller sudoer system:webhook system:job-controller system:image-pruner system:image-pusher system:pv-provisioner-controller system:pv-attach-detach-controller system:pet-set-controller system:image-signer system:node system:endpoint-controller system:gc-controller system:image-puller system:build-strategy-source management-infra-admin registry-admin cluster-reader system:image-builder intercom-account-reconciler system:sdn-manager system:replication-controller volume-provisioner system:oauth-token-deleter system:master system:service-serving-cert-controller system:image-auditor system:build-strategy-custom system:pv-binder-controller system:build-strategy-docker openshift-online:admin openshift-online:edit system:router system:node-reader system:deploymentconfig-controller admin basic-user
I'm apparently still unapproved. `oc get clusterroles -o yaml`
Can you provide the information that David has requested - with the yaml data.
Created attachment 1216791 [details] YAML for cluster roles. Attached clusteroles as YAML. BTW, perhaps related is that I get lots of errors if I try and assign role to project that would allow me to use the REST API from within a pod of the project. $ oc adm policy add-role-to-group view system:serviceaccounts:python-demos Error from server: rolebinding "view" is forbidden: user "GrahamDumpleton" cannot grant extra privileges: {Verbs:["get" "list" "watch"], APIGroups:[""], Resources:["appliedclusterresourcequotas"]} {Verbs:["get" "list" "watch"], APIGroups:[""], Resources:["deploymentconfigs/status"]} {Verbs:["get" "list" "watch"], APIGroups:[""], Resources:["deployments"]} {Verbs:["get" "list" "watch"], APIGroups:["apps"], Resources:["petsets"]} {Verbs:["get" "list" "watch"], APIGroups:["batch"], Resources:["scheduledjobs"]} {Verbs:["get" "list" "watch"], APIGroups:["extensions"], Resources:["daemonsets"]} {Verbs:["get" "list" "watch"], APIGroups:["extensions"], Resources:["deployments"]} {Verbs:["get" "list" "watch"], APIGroups:["extensions"], Resources:["deployments/scale"]} {Verbs:["get" "list" "watch"], APIGroups:["extensions"], Resources:["replicasets"]} {Verbs:["get" "list" "watch"], APIGroups:["extensions"], Resources:["replicasets/scale"]} {Verbs:["view"], APIGroups:["build.openshift.io"], Resources:["jenkins"]}
Looks like the `openshift-online:admin` role has slipped. @abhishek You probably need to check your test that catches drift. You're short several resources.
Graham: Can you please provide the rolebindings for the project?
apiVersion: v1 items: - apiVersion: v1 groupNames: null kind: RoleBinding metadata: creationTimestamp: 2016-06-14T09:18:19Z name: openshift-online:admin namespace: python-demos resourceVersion: "9578522" selfLink: /oapi/v1/namespaces/python-demos/rolebindings/openshift-online:admin uid: ef4d27ac-3210-11e6-a729-0e63b9c1c48f roleRef: name: openshift-online:admin subjects: - kind: User name: GrahamDumpleton userNames: - GrahamDumpleton - apiVersion: v1 groupNames: null kind: RoleBinding metadata: creationTimestamp: 2016-06-14T09:18:20Z name: system:deployers namespace: python-demos resourceVersion: "9578536" selfLink: /oapi/v1/namespaces/python-demos/rolebindings/system:deployers uid: ef834fff-3210-11e6-a729-0e63b9c1c48f roleRef: name: system:deployer subjects: - kind: ServiceAccount name: deployer namespace: python-demos userNames: - system:serviceaccount:python-demos:deployer - apiVersion: v1 groupNames: null kind: RoleBinding metadata: creationTimestamp: 2016-06-14T09:18:19Z name: system:image-builders namespace: python-demos resourceVersion: "9578529" selfLink: /oapi/v1/namespaces/python-demos/rolebindings/system:image-builders uid: ef77c060-3210-11e6-a729-0e63b9c1c48f roleRef: name: system:image-builder subjects: - kind: ServiceAccount name: builder namespace: python-demos userNames: - system:serviceaccount:python-demos:builder - apiVersion: v1 groupNames: - system:serviceaccounts:python-demos kind: RoleBinding metadata: creationTimestamp: 2016-06-14T09:18:19Z name: system:image-pullers namespace: python-demos resourceVersion: "9578523" selfLink: /oapi/v1/namespaces/python-demos/rolebindings/system:image-pullers uid: ef66b6e1-3210-11e6-a729-0e63b9c1c48f roleRef: name: system:image-puller subjects: - kind: SystemGroup name: system:serviceaccounts:python-demos userNames: null kind: List metadata: {}
After fix applied, no longer seeing error notice in web console. The limits section content in the web console is now empty, which I believe is what is intended, but I would still regard it as a bug that the 'Limit Range' section title still appears. when there is nothing to display in that section. The command: oc adm policy add-role-to-group view system:serviceaccounts:python-demos also now works without errors.
This should be addressed in the next release when Online moves to 3.4.
Created attachment 1218301 [details] Empty Limit Range section. Add image of problem with web console quotas page where Limit Range section heading is shown, but nothing below.
Jessica: Can you please look into the screenshot that Graham posted above? I am just trying to ensure that this is properly addressed in 3.4.
@abhgupta yes we added the wrapper class around the whole limit ranges section in 3.4 but its up to you guys to update your CSS extensions to hide the whole section using that class
This has been fixed in DevPreview INT