Hide Forgot
Description of problem: Using cluster-admin or system-admin grant a cluster role for a user, login by user and check membership in multiple projects, cluster role lost from page membership. Grant cluster role from web console doesn't work for the user. Version-Release number of selected component (if applicable): openshift v3.4.0.15+9c963ec How reproducible: Always Steps to Reproduce: 1. Using cluster-admin or system:admin oadm policy add-cluster-role-to-user cluster-admin user1 2. Login by user1 and create projects, check Resources -> Membership 3. User1 grant clusterrole to user2 on web console Go to Resources -> Membership -> hit "Edit Membershift" -> check"Show hidden roles", in the last line, input "user2" and select "cluster-admin" for the user.-> hit "Done editing" 4. Login by user2 on both web console and cli command line: check: User2 create projects and check role on membership page. check: User2 try to do something as cluster-admin Actual results: 2. User1 lost "cluster-admin" role on the page 4. User2 lost "cluster-admin" role on the self-created project page. User2 doesn't have cluster-admin role from cli command line, e.g. user2 `oc get projects` doesn't get all projects. Expected results: 2. User1 has "cluster-admin" role on the page 4. User2 has "cluster-admin" role on the page, user2 has cluster-admin role from cli command line. Additional info:
This works as expected, though it is a bit confusing. Here is the doc: https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#roles And I'll attempt to explain: - user1 is a 'cluster-admin' at the cluster level. - We don't list cluster lvl policy anywhere in the UI, we only list local policy to a project. therefore, user1 shows as a project 'admin' in the project. - When user2 is given 'cluster-admin', this is local, at the project level. It is essentially super admin for the project. This grants access to edit things like resource limits which a project 'admin' does not have. - user2 can't list all projects because this user isn't 'cluster-admin' at the cluster level. - user2 does have a greater role than user1 within the project, but user1 is still an actual 'cluster-admin' at the cluster level so ultimately has more privilege. - The web console isn't built for cluster admins, its built for more typical users so there is no place currently for user1 to go see their cluster policy. - Any 'cluster-*' roles granted by the UI are going to be project scoped. In the end, I agree it is confusing, but this is the way the API works.
Thanks for explain bpeterse. That makes sense, I can understand the scope of "cluster-" roles in better way now. Let me simply confirm with you, the "cluster-*" role assigned by project admin is limited in project, this is not the same "cluster-*" role granted by cluster-admin or system:admin. Does it also explain the reason project admin can "oc get clusterrole" but can not "oc get clusterrolebinding"? I tested with a project admin, "oc get clusterrole|grep admin" will get "cluster-admin", but how does project user assign this "cluster-admin" to others in project scope? I tried "oc policy add-role-to-user cluster-admin user2" and get below error: Error from server: rolebinding "cluster-admin" is forbidden: user "user1" cannot grant extra privileges: {Verbs:["*"], APIGroups:["*"], Resources:["*"]} {Verbs:["*"], NonResourceURLs:["*"]}" Thanks, this original bug could be closed.
Correct. Cluster roles are roles defined at the cluster level, but can be bound either at the cluster level or at the project level. Most roles are cluster roles, it is rare to have a local role at all. To create a local role for a project, I'd suggest copying an existing cluster role: - oc get clusterrole view -o yaml > clusterrole_view.yml - cp clusterrole_view.yml role_awesomeview.yml - vim role_awesomeview.yml - change name to awesomeview - change kind to Role - remove resourceVersion, selfLink, uid, creationTimestamp - optionally add namespace: project-name (this might be filled it when you create the role in a project, i forget atm) - save file - oc create -f path/to/role_awesomeview.yml - optionally annotate with a description To use the new role: - oadm policy add-role-to-user awesomeview user2 For your cluster-role example, you would have: - oadm policy add-cluster-role-to-user cluster-admin user2 - which will make a local binding with the cluster role - this is more or less a project super admin, can edit quota & a few extras Within a project, a user who is a project admin should be able to see rolebindings, not clusterrolebindings. Hope that helps!
Opening this back up and setting it to Documentation. We should assess the docs & make sure they are extremely clear since this use case is understandably confusing.
(In reply to bpeterse from comment #4) > Opening this back up and setting it to Documentation. We should assess the > docs & make sure they are extremely clear since this use case is > understandably confusing. Hey there, Are the docs for 3.3 confusing about this or is this something we should clarify for 3.4?
I'm looking at this: https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#roles I would say the above discussion around this bug is that the topic is generally covered, but still unclear. I expect many users may follow the same logic around a 'cluster-admin' kind of role and wonder why a user granted this role can't do what is expected (because a role with "cluster-" in the name at a local scope is not intuitive). Perhaps after rereading the docs carefully it makes sense, but ideally we could clarify up front and avoid the confusion. An example may be all that is needed.
This could be a docs update for 3.4 only if it includes a screenshot of the UI in this particular state, a 'cluster-admin' who created a project that only shows 'admin' but granted 'cluster-admin' to another user within the local scope of the project.
Work in progress: https://github.com/openshift/openshift-docs/pull/3178
@Ben, PTAL:https://github.com/openshift/openshift-docs/pull/3178
reviewing, thx!
Looks good on openshift/oc v3.4.0.38, will mark it as VERIFIED when PR#3178 merged. Now web console is consistent with cli as below,project admin has been restricted to grant "cluster-admin" to user in project level: On web console, below error message will pop up when user try to add "cluster-admin" to other user, this is different than original description step3, but looks good: The role "cluster-admin" could not be granted to "xiaocwan1".Reason: "rolebinding "cluster-admin" is forbidden: user "xiaocwan" cannot grant extra privileges: {Verbs:["*"], APIGroups:["*"], Resources:["*"]} {Verbs:["*"], NonResourceURLs:["*"]}" # oc policy add-role-to-user cluster-admin user2 Error from server: rolebinding "cluster-admin" is forbidden: user "xiaocwan" cannot grant extra privileges: {Verbs:["*"], APIGroups:["*"], Resources:["*"]} {Verbs:["*"], NonResourceURLs:["*"]}
Add comments for PR https://github.com/openshift/openshift-docs/pull/3178/files Will move it to VERIFIED when PR merged.
Pull request LGTM now. thanks. Will move it to VERIFIED when PR merged.
Commits pushed to master at https://github.com/openshift/openshift-docs https://github.com/openshift/openshift-docs/commit/18f5948b956551134b25f0e5bc18c544161c94c6 Bug 1388415, added clarification around cluster roles https://github.com/openshift/openshift-docs/commit/4b4c644d2a71a1c394661e7d9bfe247c0f8b16b6 Merge pull request #3178 from ahardin-rh/cluster-role Bug 1388415, added clarification around cluster roles
Content is now published: https://access.redhat.com/documentation/en/openshift-container-platform/3.3/single/cluster-administration/#manage-authorization-policy-creating-local-role