Bug 1470047 - Can't login catalog console if service-catalog enable secure and authorization
Can't login catalog console if service-catalog enable secure and authorization
Status: VERIFIED
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console (Show other bugs)
3.6.0
Unspecified Unspecified
high Severity high
: ---
: 3.7.0
Assigned To: Jessica Forrester
XiaochuanWang
: TestBlocker
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-12 06:45 EDT by DeShuai Ma
Modified: 2017-08-14 14:15 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
catalog-ui.jpeg (129.00 KB, image/jpeg)
2017-07-12 10:53 EDT, DeShuai Ma
no flags Details
working serviceclasses (167.29 KB, image/png)
2017-07-12 11:20 EDT, Jessica Forrester
no flags Details

  None (edit)
Description DeShuai Ma 2017-07-12 06:45:28 EDT
Description of problem:
Enable service-catalog in openshift-ansible, after complete install, configure catalog ui, As svc-catalog need authorization, so I can't access it successfully in web, then login the catalog console always failed

Version-Release number of selected component (if applicable):
openshift v3.6.136
kubernetes v1.6.1+5115d708d7
etcd 3.2.1

How reproducible:
Always

Steps to Reproduce:
1. Check service-catalog status
[root@host-8-174-68 dma]# oc get route
NAME        HOST/PORT                                                PATH      SERVICES    PORT      TERMINATION   WILDCARD
apiserver   apiserver-kube-service-catalog.***.com             apiserver   secure    passthrough   None

[root@host-8-174-68 dma]# oc get po
NAME                       READY     STATUS    RESTARTS   AGE
apiserver-c6j4l            1/1       Running   2          7h
controller-manager-06lzq   1/1       Running   4          7h

2. Enalbe catalog console as below
1) $ cat /etc/origin/master/catalog-ui.js 
window.OPENSHIFT_CONSTANTS.ENABLE_TECH_PREVIEW_FEATURE = {
  service_catalog_landing_page: true,
  pod_presets: true
};

window.OPENSHIFT_CONFIG.additionalServers = [{
  hostPort: "apiserver-kube-service-catalog.***.com",
  prefix: "/apis"
}];

2) $ vim /etc/origin/master/master-config.yaml
assetConfig:
  extensionScripts:
    - /etc/origin/master/catalog-ui.js

3) $ systemctl restart atomic-openshift-master

3. Access service-catalog route in web & login catalog console

Actual results:
3. Always reture "User "system:anonymous" cannot get  at the cluster scope.: "User \"system:anonymous\" cannot \"get\" on \"/\"""

Expected results:
3. We login catalog console success

Additional info:
[root@host-8-174-68 dma]# curl https://10.128.0.7:6443 -k -H "Authorization: Bearer qcprN_9fbXfqPr6C1VZVgiYBMyE-MyFsUFDzCEubSlw"
{
  "paths": [
    "/apis",
    "/apis/servicecatalog.k8s.io",
    "/apis/servicecatalog.k8s.io/v1alpha1",
    "/healthz",
    "/healthz/ping",
    "/healthz/poststarthook/start-service-catalog-apiserver-informers",
    "/metrics",
    "/swaggerapi/",
    "/version"
  ]
}
Comment 1 DeShuai Ma 2017-07-12 06:47:25 EDT
It blocker our test of ansible-service-broker  & apb testing in console.
Comment 2 Jessica Forrester 2017-07-12 10:30:21 EDT
If you are using the service catalog that is installed by the ansible installer you should not be including this in the extension anymore:

window.OPENSHIFT_CONFIG.additionalServers = [{
  hostPort: "apiserver-kube-service-catalog.***.com",
  prefix: "/apis"
}];


This was temporary until the service catalog was aggregated under the main API server.

Please remove this from your extension and let us know if you are still having a problem accessing the console.
Comment 3 DeShuai Ma 2017-07-12 10:52:11 EDT
Yes, After remove this I can login the catalog console, but can't see the serviceclass in catalog console.

In backend, I can see below.
[root@host-8-174-68 dma]# oc create -f broker.yaml 
broker "ansible-service-broker" created
[root@host-8-174-68 dma]# 
[root@host-8-174-68 dma]# oc describe broker ansible-service-broker
Name:		ansible-service-broker
Namespace:	
Labels:		<none>
Events:
  FirstSeen	LastSeen	Count	From					SubObjectPath	Type		Reason		Message
  ---------	--------	-----	----					-------------	--------	------		-------
  11s		11s		1	service-catalog-controller-manager			Normal		FetchedCatalog	Successfully fetched catalog entries from broker.
[root@host-8-174-68 dma]# oc get serviceclass
NAME             KIND
mediawiki-apb    ServiceClass.v1alpha1.servicecatalog.k8s.io
postgresql-apb   ServiceClass.v1alpha1.servicecatalog.k8s.io
[root@host-8-174-68 dma]# 
[root@host-8-174-68 dma]# 
[root@host-8-174-68 dma]# 
[root@host-8-174-68 dma]# cat broker.yaml 
apiVersion: servicecatalog.k8s.io/v1alpha1
kind: Broker
metadata:
  finalizers:
  - kubernetes-incubator/service-catalog
  name: ansible-service-broker
spec:
  url: http://asb.openshift-ansible-service-broker.svc:1338
Comment 4 DeShuai Ma 2017-07-12 10:53 EDT
Created attachment 1297037 [details]
catalog-ui.jpeg
Comment 5 Jessica Forrester 2017-07-12 11:02:43 EDT
Can you check the Network tab of the browser console and check for a request for serviceclasses?

Also if you check the /apis request that is going to the master API this should appear as part of the response

    {
      "name": "servicecatalog.k8s.io",
      "versions": [
        {
          "groupVersion": "servicecatalog.k8s.io/v1alpha1",
          "version": "v1alpha1"
        }
      ],
      "preferredVersion": {
        "groupVersion": "servicecatalog.k8s.io/v1alpha1",
        "version": "v1alpha1"
      },
      "serverAddressByClientCIDRs": null
    }


Or if you can provide the URL and login info for this server we can take a look.
Comment 6 Jessica Forrester 2017-07-12 11:04:22 EDT
If things are configured correctly you should also see a request to <master-hostname>/apis/servicecatalog.k8s.io/v1alpha1
Comment 8 DeShuai Ma 2017-07-12 11:15:39 EDT
Is this related? Need enable apis/servicecatalog.k8s.io/v1alpha1 in master-config.yaml ?
https://github.com/openshift/origin/pull/14984/files
Comment 9 Jessica Forrester 2017-07-12 11:20:33 EDT
Not related, the change in that PR is necessary to test PodPresets are actually working as part of Binding (i.e. the environment variable actually get injected into the pods).

But I just hit the server and I see the serviceclasses including mediawiki.  Maybe you were getting something cached?  Try clearing your browser cache and see if you still do not see the service classes.  Adding attachment to show it working for me.
Comment 10 Jessica Forrester 2017-07-12 11:20 EDT
Created attachment 1297059 [details]
working serviceclasses
Comment 11 DeShuai Ma 2017-07-12 11:27:53 EDT
Yes, Now i can get it, thanks for your help, I'll close the bug.

Note You need to log in before you can comment on or make changes to this bug.