Bug 1420247 - Inconsistent message of web and CLI about adding role system:image-builder/system:deployer to serviceaccount of another project
Summary: Inconsistent message of web and CLI about adding role system:image-builder/sy...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 3.5.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: bpeterse
QA Contact: Yadan Pei
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-08 09:46 UTC by Yadan Pei
Modified: 2017-07-24 14:11 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-08 14:41:55 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0884 0 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.5 RPM Release Advisory 2017-04-12 22:50:07 UTC

Description Yadan Pei 2017-02-08 09:46:51 UTC
Description of problem:
Inconsistence of web and CLI about adding role system:image-builder/system:deployer  to serviceaccount of another project

Version-Release number of selected component (if applicable):
v3.5.0.17+c55cf2b

How reproducible:
Always

Steps to Reproduce:
1.Create project 'test1' and 'test2'
2.Grant serviceaccount:builder in 'test1' with system:image-builder role to project 'test2'
Go to project 'test2' -> Membership -> Edit Membership -> Serviceaccounts tab -> Select test1/builder from Name -> Select system:image-builder from Role -> Click Add
3.Try to grant serviceaccount:builder in 'test1' with system:image-builder role to project 'test2' through CLI
$ oc policy add-role-to-user system:image-builder serviceaccount:test1:builder -n test2


Actual results:
2. Give message after clicking Add:
The role "system:image-builder" has already been granted to "builder"
3. Gives error message:
$ oc policy add-role-to-user system:image-builder serviceaccount:test1:builder -n test2
Error from server (Forbidden): rolebinding "system:image-builders" is forbidden: user "yapei" cannot grant extra privileges:
{Verbs:["update"], APIGroups:[""], Resources:["builds/details"]}

Expected results:
2. Web console should give error output since we didn't add role "system:image-builder" to "test1:builder" successfully, also the error message should keep consistent with CLI

Additional info:
system:image-puller and system:image-pusher have no this problem.
Giving system:image-builder to non-serviceaccount user has no this problem.


The same problems happens when adding role system:deployer to service account
CLI gives error message:
$ oc policy add-role-to-user system:deployer serviceaccount:test1:deployer -n test2
Error from server (Forbidden): rolebinding "system:deployers" is forbidden: user "yapei" cannot grant extra privileges:
{Verbs:["create"], APIGroups:[""], Resources:["events"]}

While web console return successful message:
The role "system:deployer" has already been granted to "deployer".

Comment 1 bpeterse 2017-02-08 15:36:39 UTC
Agree, the following should be true:
- if current user does not have cluster-admin for the project, the system:image-builder should not be allowed to be granted (currently, cli is correct)
- if current user does have cluster-admin for this project, the role system:image-builder should be allowed to be granted.

PR coming to fix the web console shortly.

Comment 2 bpeterse 2017-02-08 15:50:57 UTC
PR open to fix: https://github.com/openshift/origin-web-console/pull/1229

Comment 3 Troy Dawson 2017-02-10 22:53:13 UTC
This has been merged into ocp and is in OCP v3.5.0.19 or newer.

Comment 5 XiaochuanWang 2017-02-13 01:52:06 UTC
Verified on v3.5.0.19+199197c with original steps when user does not have cluster-admin role

When user does have cluster-admin role, web console shows 'The role "system:image-builder" was granted to "builder".' while CLI shows 'role "system:image-builder" added: "serviceaccount:test1:builder"'. Both could be accepted.


Note You need to log in before you can comment on or make changes to this bug.