Red Hat Bugzilla – Bug 1420247
Inconsistent message of web and CLI about adding role system:image-builder/system:deployer to serviceaccount of another project
Last modified: 2017-07-24 10:11 EDT
Description of problem: Inconsistence of web and CLI about adding role system:image-builder/system:deployer to serviceaccount of another project Version-Release number of selected component (if applicable): v3.5.0.17+c55cf2b How reproducible: Always Steps to Reproduce: 1.Create project 'test1' and 'test2' 2.Grant serviceaccount:builder in 'test1' with system:image-builder role to project 'test2' Go to project 'test2' -> Membership -> Edit Membership -> Serviceaccounts tab -> Select test1/builder from Name -> Select system:image-builder from Role -> Click Add 3.Try to grant serviceaccount:builder in 'test1' with system:image-builder role to project 'test2' through CLI $ oc policy add-role-to-user system:image-builder serviceaccount:test1:builder -n test2 Actual results: 2. Give message after clicking Add: The role "system:image-builder" has already been granted to "builder" 3. Gives error message: $ oc policy add-role-to-user system:image-builder serviceaccount:test1:builder -n test2 Error from server (Forbidden): rolebinding "system:image-builders" is forbidden: user "yapei" cannot grant extra privileges: {Verbs:["update"], APIGroups:[""], Resources:["builds/details"]} Expected results: 2. Web console should give error output since we didn't add role "system:image-builder" to "test1:builder" successfully, also the error message should keep consistent with CLI Additional info: system:image-puller and system:image-pusher have no this problem. Giving system:image-builder to non-serviceaccount user has no this problem. The same problems happens when adding role system:deployer to service account CLI gives error message: $ oc policy add-role-to-user system:deployer serviceaccount:test1:deployer -n test2 Error from server (Forbidden): rolebinding "system:deployers" is forbidden: user "yapei" cannot grant extra privileges: {Verbs:["create"], APIGroups:[""], Resources:["events"]} While web console return successful message: The role "system:deployer" has already been granted to "deployer".
Agree, the following should be true: - if current user does not have cluster-admin for the project, the system:image-builder should not be allowed to be granted (currently, cli is correct) - if current user does have cluster-admin for this project, the role system:image-builder should be allowed to be granted. PR coming to fix the web console shortly.
PR open to fix: https://github.com/openshift/origin-web-console/pull/1229
This has been merged into ocp and is in OCP v3.5.0.19 or newer.
Verified on v3.5.0.19+199197c with original steps when user does not have cluster-admin role When user does have cluster-admin role, web console shows 'The role "system:image-builder" was granted to "builder".' while CLI shows 'role "system:image-builder" added: "serviceaccount:test1:builder"'. Both could be accepted.