Bug 1470628 - service-catalog can't access the template-service-broker by auth
service-catalog can't access the template-service-broker by auth
Product: OpenShift Container Platform
Classification: Red Hat
Component: Templates (Show other bugs)
Unspecified Unspecified
medium Severity medium
: ---
: 3.7.0
Assigned To: Ben Parees
XiuJuan Wang
Depends On:
Blocks: 1491626
  Show dependency treegraph
Reported: 2017-07-13 06:31 EDT by DeShuai Ma
Modified: 2017-11-28 17:01 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Feature: The service catalog will now use proper authentication to invoke the template service broker when using oc cluster up to run both. Reason: Previously the service catalog could not provide authentication when invoking the template service broker, which meant the template service broker api had to allow calls from unauthenticated clients. This was a security issue. Result: The template service broker apis will now be secured, and will only be invokeable by the service catalog (or another client with appropriate credentials).
Story Points: ---
Clone Of:
: 1491626 (view as bug list)
Last Closed: 2017-11-28 17:01:28 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Comment 1 DeShuai Ma 2017-07-13 22:51:57 EDT
This blocker our test tsb on catalog console. we want fix asap. Could you help check. thanks.
Comment 2 Paul Morie 2017-07-14 15:28:21 EDT
How did you create the cluster, installer or OC cluster up?
Comment 3 Paul Morie 2017-07-14 17:40:49 EDT
For future catalog bugs it is very important to include what method you used to create the cluster.  The two pathways we have (oc cluster up and the installer) are different code paths with different maintainers.
Comment 4 DeShuai Ma 2017-07-14 20:02:19 EDT
I set up the cluster by openshift-ansible
Comment 5 DeShuai Ma 2017-07-17 01:43:40 EDT
Further debug, I find I can access token to request the /v2/catalog, According to https://github.com/openservicebrokerapi/servicebroker/blob/v2.12/spec.md#curl But when do 'curl -H "X-Broker-API-Version: 2.12" http://username:password@broker-url/v2/catalog', I get 403. In my openshift I use auth type AllowAllPasswordIdentityProvider

# cat /etc/origin/master/master-config.yaml
  assetPublicURL: https://<master>:8443/console/
    method: auto
  - challenge: true
    login: true
    mappingMethod: claim
    name: allow_all
      apiVersion: v1
      kind: AllowAllPasswordIdentityProvider
  masterCA: ca-bundle.crt
  masterPublicURL: https://<master>:8443
  masterURL: https://<master>:8443
    sessionMaxAgeSeconds: 3600
    sessionName: ssn
    sessionSecretsFile: /etc/origin/master/session-secrets.yaml
    accessTokenMaxAgeSeconds: 86400
    authorizeTokenMaxAgeSeconds: 500

# oc get template -n tsb
NAME                     DESCRIPTION                                                                        PARAMETERS        OBJECTS
ruby-helloworld-sample   This example shows how to create a simple ruby application in openshift origi...   3 (2 generated)   9
[root@host-8-175-186 dma]# curl -k -H "X-Broker-API-Version: 2.12" -H "Authorization: Bearer oLHF6t2o6reGO-O4UjsPeALItFtSlACjh8YlbF0eUrE" https://<master>:8443/brokers/template.openshift.io/v2/catalog
  "services": [
    "name": "ruby-helloworld-sample",
    "id": "c4e87ede-6ab0-11e7-a7e8-fa163e680dd3",
    "description": "This example shows how to create a simple ruby application in openshift origin v3",
    "tags": [
    "bindable": true,
    "metadata": {
     "console.openshift.io/iconClass": "icon-ruby"
    "plans": [
      "id": "c4e87ede-6ab0-11e7-a7e8-fa163e680dd3",
      "name": "default",
      "description": "Default plan",
      "free": true,
      "bindable": true,
      "schemas": {
       "service_instance": {
        "create": {
         "parameters": {
          "$schema": "http://json-schema.org/draft-04/schema",
          "additionalProperties": false,
          "properties": {
           "MYSQL_DATABASE": {
            "default": "root",
            "description": "database name",
            "type": "string"
           "MYSQL_PASSWORD": {
            "default": "",
            "description": "database password",
            "type": "string"
           "MYSQL_USER": {
            "default": "",
            "description": "database username",
            "type": "string"
           "template.openshift.io/requester-username": {
            "description": "OpenShift user requesting provision/bind",
            "title": "Template service broker: requester username",
            "type": "string"
          "required": [
          "type": "object"
       "service_binding": {
        "create": {
         "parameters": {
          "$schema": "http://json-schema.org/draft-04/schema",
          "additionalProperties": false,
          "properties": {
           "template.openshift.io/requester-username": {
            "description": "OpenShift user requesting provision/bind",
            "title": "Template service broker: requester username",
            "type": "string"
          "required": [
          "type": "object"

# curl -k -H "X-Broker-API-Version: 2.12" https://dma:dma@<master>:8443/brokers/template.openshift.io/v2/catalog{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "User \"system:anonymous\" cannot \"get\" on \"/brokers/template.openshift.io/v2/catalog\"",
  "reason": "Forbidden",
  "details": {},
  "code": 403
Comment 6 Paul Morie 2017-07-18 11:54:52 EDT
The ansible installer doesn't currently support the template broker, so this is working as designed; keeping this open and transferring to the templates component.
Comment 7 DeShuai Ma 2017-07-19 06:13:43 EDT
(In reply to Paul Morie from comment #6)
> The ansible installer doesn't currently support the template broker, so this
> is working as designed; keeping this open and transferring to the templates
> component.

I think this pr have support tsb in installer. https://github.com/openshift/openshift-ansible/pull/3982
Comment 8 DeShuai Ma 2017-07-19 06:17:01 EDT
Hi, Ben:
Could you help check the issue. How can I access tsb by broker resource? thanks
Comment 9 Ben Parees 2017-07-19 09:25:34 EDT
You must take 3 steps, 1 of which the ansible installer should handle:

1) configure the TSB namespaces (ansible installer should have an option for this today)

2) enable anonymous access (this makes your cluster completely exposed to malicious attacks, use with caution!)
oc adm policy add-cluster-role-to-group system:openshift:templateservicebroker-client system:unauthenticated system:authenticated

3) register the TSB with the SC, create this yaml:
apiVersion: servicecatalog.k8s.io/v1alpha1
kind: Broker
  name: template-broker
url: https://kubernetes.default.svc:443/brokers/template.openshift.io

and then use it with oc create.
Comment 10 DeShuai Ma 2017-07-19 13:32:48 EDT
The question here is I have set user/password in broker, why still use system:anonymous?
In broker it has
 "spec": {
        "authInfo": {
            "basicAuthSecret": {
                "name": "tsb",
                "namespace": "kube-service-catalog"

Thanks so much.
Comment 11 Ben Parees 2017-07-19 13:35:46 EDT
I'm pretty sure system:anonymous is any unauthenticated user, and your user is considered unauthenticated because the TSB api does not respect the basic auth mechanism the SC is providing, it only respects token based auth (which the SC is incapable of providing).

That is why you must grant unauthenticated access to the TSB apis.
Comment 12 DeShuai Ma 2017-07-19 13:50:11 EDT
Client and server have different implement for open service broker api auth, so  maybe we need broker to support token or tsb respect basic auth in future, thanks for your reply.
Comment 13 Ben Parees 2017-07-19 13:54:02 EDT
the SC is going to support token based auth in the future.
Comment 16 Ben Parees 2017-09-01 09:39:16 EDT
Using cluster up, the TSB now registers with a token that the SC will use when calling the TSB, so you do not need to grant unauthenticated access to the TSB.

We'll be following this up with work to do the same thing when installing via openshift ansible.
Comment 17 Ben Parees 2017-09-01 09:39:47 EDT
We are tracking work related to that here:
Comment 18 Ben Parees 2017-09-02 01:14:44 EDT
PR to handle registration in a template so ansible can also do the registration:
Comment 19 Ben Parees 2017-09-05 13:50:11 EDT
This is fixed for cluster up, but DeShuai I think you will want a second BZ to track getting this fixed in the ansible installer.  Eric Wolinetz would own that bug.
Comment 20 XiuJuan Wang 2017-09-14 05:43:49 EDT
Test with cluster up env [1]

Could use token to access tsb api.

And no sync error in template-service-broker resource.

[root@devexp-cluster-up newscripts]#  oc get broker template-service-broker -o json 
    "apiVersion": "servicecatalog.k8s.io/v1alpha1",
    "kind": "Broker",
    "metadata": {
        "creationTimestamp": "2017-09-14T08:42:01Z",
        "finalizers": [
        "name": "template-service-broker",
        "resourceVersion": "1264",
        "selfLink": "/apis/servicecatalog.k8s.io/v1alpha1/brokers/template-service-broker",
        "uid": "939fa87f-9928-11e7-97c7-0242ac110006"
    "spec": {
        "authInfo": {
            "bearer": {
                "secretRef": {
                    "kind": "Secret",
                    "name": "templateservicebroker-client",
                    "namespace": "openshift-template-service-broker"
        "url": "https://apiserver.openshift-template-service-broker.svc:443/brokers/template.openshift.io"
    "status": {
        "checksum": "fd02ec8a89acc79d8185ab855d745354b3fd96307b8b9988b772838584965334",
        "conditions": [
                "lastTransitionTime": "2017-09-14T08:42:08Z",
                "message": "Successfully fetched catalog entries from broker.",
                "reason": "FetchedCatalog",
                "status": "True",
                "type": "Ready"

oc v3.7.0-0.126.1
kubernetes v1.7.0+80709908fd
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://10.8.***:8443
openshift v3.7.0-0.126.1
kubernetes v1.7.0+80709908fd
Comment 23 errata-xmlrpc 2017-11-28 17:01:28 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.