Bug 1471040 - Normal user can't create language app in catalog console
Normal user can't create language app in catalog console
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console (Show other bugs)
3.6.0
Unspecified Unspecified
high Severity medium
: ---
: ---
Assigned To: Samuel Padgett
DeShuai Ma
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-14 05:56 EDT by DeShuai Ma
Modified: 2017-08-16 15 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-10 01:31:01 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
failed-nodejs.png (153.04 KB, image/png)
2017-07-14 05:56 EDT, DeShuai Ma
no flags Details

  None (edit)
Description DeShuai Ma 2017-07-14 05:56:20 EDT
Created attachment 1298231 [details]
failed-nodejs.png

Description of problem:
After enable service-catalog and login as normal user, then create language app in catalog console, get some error "error Failed to list instances/servicecatalog.k8s.io/v1alpha1 (403)"
cluster-admin user does not have problem.

Version-Release number of selected component (if applicable):
openshift v3.6.143
kubernetes v1.6.1+5115d708d7
etcd 3.2.1

How reproducible:
Always

Steps to Reproduce:
1. Login catalog console

2. Click "JAVEScrpit" -> "Node.js"

3. Input the info that need to create app

Actual results:
3. "create" button is disabled and there pop an error dialog with "error Failed to list instances/servicecatalog.k8s.io/v1alpha1 (403) "

Expected results:
3. Should create app success

Additional info:
Comment 1 Jessica Forrester 2017-07-14 07:57:38 EDT
There are two different problems here, the first is that the roles are not correct for end users for service catalog resources.  End users should not get a 403 requesting instances.  If this was set up using the ansible installer then the installer is not setting up the roles correctly for project admins/editors/viewers.

The second problem is a question of whether we should prevent you from creating your application if we fail to request instances.
Comment 2 Jessica Forrester 2017-07-14 07:58:53 EDT
If this system was set up with the ansible installer please open a bug against the installer component for the first problem.
Comment 3 DeShuai Ma 2017-07-14 12:24:55 EDT
(In reply to Jessica Forrester from comment #2)
> If this system was set up with the ansible installer please open a bug
> against the installer component for the first problem.

Yes, I setup the env by openshift-ansible, For the first 403 issue, the bug is https://bugzilla.redhat.com/show_bug.cgi?id=1471013

One thing I don't understand is if I select a language app(not serviceclass), why need access instance.servicecatalog.k8s.io ? Maybe my understand is wrong. thanks
Comment 4 Jessica Forrester 2017-07-14 12:29:32 EDT
Because the second step in the wizard lets the user bind to existing provisioned services in the project that they just created their application in.  So when the project selection is changed, we then fetch the instances for that project to know whether to show the Bindings step in the wizard.
Comment 6 Samuel Padgett 2017-07-14 16:24:09 EDT
(In reply to Samuel Padgett from comment #5)
> https://github.com/openshift/origin-web-console/pull/1852

The upstream origin-web-catalog change contained in this console PR is

https://github.com/openshift/origin-web-catalog/pull/364
Comment 8 DeShuai Ma 2017-07-24 03:40:56 EDT
Verify on openshift v3.6.153
kubernetes v1.6.1+5115d708d7
etcd 3.2.1
Now can create app successfully
Comment 10 errata-xmlrpc 2017-08-10 01:31:01 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1716

Note You need to log in before you can comment on or make changes to this bug.