Bug 1393767 - [atomic registry] Web wrongly displays private access policy as shared access
Summary: [atomic registry] Web wrongly displays private access policy as shared access
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 3.4.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Peter
QA Contact: Yadan Pei
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-10 10:08 UTC by Xingxing Xia
Modified: 2017-10-30 15:34 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-10-30 15:34:49 UTC
Target Upstream Version:

Attachments (Terms of Use)
Lock_icon_unlocked_for_private_project (29.50 KB, image/png)
2016-11-10 10:11 UTC, Xingxing Xia 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Xingxing Xia 2016-11-10 10:08:07 UTC 
Description of problem:
Web wrongly displays private access policy as shared access

Version-Release number of selected component (if applicable):
openshift v3.4.0.24+52fd77b
cockpit 118

Image id on test env:
$ docker images | grep registry-console
registry.ops..../openshift3/registry-console 3.3  f8a757a055c5 2 days 223.8 MB


How reproducible:
Always

Steps to Reproduce:
1. On Overview page, click 'New project' 
2. Input name xxia-private, in Access Policy, select 'Private: Allow only specific users or groups to pull images', click Create
3. On Overview page, check the lock icon for project xxia-private
4. Click nav menu 'Projects', select one shared project, click 'Project access policy', change Access Policy to 'Private ...', click Change. Then click 'Project access policy' again, check Access Policy

Actual results:
3. The lock icon is unlocked, see attachment.
4. Check again after Change, Access Policy is still 'Shared: Allow any ...'

Expected results:
3. The lock icon should be locked
4. Access Policy should be 'Private ...'

Additional info:

The CLI policy is correct, though. i.e. it does not has this line:
registry-viewer  /registry-viewer  system:authenticated

$ oc get rolebinding -n xxia-private
NAME                    ROLE                    USERS     GROUPS                                SERVICE ACCOUNTS   SUBJECTS
registry-admin          /registry-admin         xxia                                         
system:deployers        /system:deployer                                                        deployer
system:image-builders   /system:image-builder                                                   builder
system:image-pullers    /system:image-puller              system:serviceaccounts:xxia-private
admin                   /admin                  xxia
Comment 1 Xingxing Xia 2016-11-10 10:11:14 UTC 
Created attachment 1219295 [details]
Lock_icon_unlocked_for_private_project
Comment 2 Xingxing Xia 2016-11-10 10:13:45 UTC 
Oh, set up another env with image verified in https://bugzilla.redhat.com/show_bug.cgi?id=1373446#c8

brew-pulp-...redhat.com:8888/openshift3/registry-console 3.3  445ef31dcaaf 2 days ago     223.8 MB

Above problem disappears
Comment 3 Stef Walter 2016-11-10 14:09:17 UTC 
Where can I get a container with openshift v3.4.0.24+52fd77b
Comment 5 Peter 2016-11-17 19:32:01 UTC 
I wasn't able to reproduce, does this happen for you from a clean install? Or is there possibly changes effecting it? Is it intermittent, does refreshing the browser change anything? 

Is there a way I can get a full (json or yaml) dump of all your images and auth related oc objects so I can see what might be causing it?
Comment 6 Xingxing Xia 2016-11-18 08:53:40 UTC 
The time when reporting the bug, it is ALWAYS reproduced.
Strangely, today tested on an env, which sets up the standalone registry using the same repo registry.ops and image f8a757a055c5 as comment 0, the problem is NOT reproduced at all.

Not familiar with the env installation. The envs are installed by installation team for scheduled test.
Comment 8 Xingxing Xia 2016-11-21 09:10:11 UTC 
Because it works for me now, the issue is not happening, closing it. Thanks!
Comment 9 Xingxing Xia 2017-10-30 10:31:51 UTC 
Reopening. In registry console of cockpit version 151, it occurs again with completely same result. More env version info is same as https://bugzilla.redhat.com/show_bug.cgi?id=1507460#c0

Checked in registry console of cockpit version 148, that still worked, though.
Comment 10 Peter 2017-10-30 15:34:49 UTC 
All user management is broken in 3.7. So I don't think this regression is related to the original issue.
Note You need to log in before you can comment on or make changes to this bug.