Bug 1418979 - Not possible to show user's own roles for non-admins
Summary: Not possible to show user's own roles for non-admins
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Image Registry
Version: 3.4.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Michal Fojtik
QA Contact: Wei Sun
Depends On:
Blocks: 1373448
TreeView+ depends on / blocked
Reported: 2017-02-03 10:40 UTC by Martin Pitt
Modified: 2017-02-08 09:09 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-02-08 09:09:32 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Martin Pitt 2017-02-03 10:40:49 UTC
Description of problem:

When trying to fix bug 1373448 in cockpit (Should not show 'docker tag' and 'docker push' message on ImageStream page when user without push role), I noticed that it seems impossible to find out the roles of the currently logged in user if they are not an admin. It would be nice to not offer commands related to pushing images if the user only has a "registry-view" role and thus cannot actually push images (that's "registry-edit").

I read various documentation [1][2] and checked Google/Stackoverflow, to no avail. So this is at least a documentation issue, or possibly it's not currently allowed at all.

See reproduction steps below for details.

[1] https://docs.openshift.com/container-platform/3.4/architecture/core_concepts/projects_and_users.html
[2] https://docs.openshift.com/container-platform/3.4/admin_solutions/user_role_mgmt.html

Version-Release number of selected component (if applicable):

# oc version
oc v1.4.1+3f9807a
kubernetes v1.4.0+776c994
features: Basic-Auth GSSAPI Kerberos SPNEGO

openshift v1.4.1+3f9807a
kubernetes v1.4.0+776c994

How reproducible:

Steps to Reproduce:
1. Log in as admin ("oc whoami" shows something like "system:admin").

2. Create some project and switch to it:
   # oc project myproj

3. Create a user who is a registry-viewer and another one who is a registry-editor:
   # oadm policy add-role-to-user registry-viewer pulluser 
   # oadm policy add-role-to-user registry-editor pushuser

4. Create/log in as pushuser:
   # printf "pushuser\nabc\n" | oc login

5. Try to find anything about your capabilities/roles:

   # oc get images
   No resources found.
   Error from server: User "pushuser" cannot list all images in the cluster
   # oc describe roleBindings
   Error from server: User "pushuser" cannot list rolebindings in project "myproj"
   # oc describe policyBindings :default
   Error from server: User "pushuser" cannot get policybindings in project "myproj"

6. The same happens for pulluser. Although that part would be okay, it'd be sufficient to have registry-editors be able to find out about their capabilities.

Comment 1 Michal Fojtik 2017-02-06 10:14:18 UTC
Have you looked at 'oc can-i' command? You should be able to figure out if users can push.

AFAIK, registry-viewer/editor roles does not allow to list all images in the cluster (only cluster-admin can).

Comment 2 Martin Pitt 2017-02-08 09:09:15 UTC
Indeed, "oc policy can-i update imagestreamimages" seems to do what I want. Many thanks for your help!

Note You need to log in before you can comment on or make changes to this bug.