Bug 1492935 - Registry console error on project creation, allows project to be created regardless
Summary: Registry console error on project creation, allows project to be created rega...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Registry Console
Version: 3.7.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: ---
Assignee: Peter
QA Contact: Yadan Pei
URL:
Whiteboard:
: 1492937 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-19 02:41 UTC by Chris Ryan
Modified: 2017-11-28 22:11 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-28 22:11:25 UTC
Target Upstream Version:


Attachments (Terms of Use)
screenshot of bz (44.79 KB, image/png)
2017-09-19 02:41 UTC, Chris Ryan
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3188 0 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update 2017-11-29 02:34:54 UTC

Description Chris Ryan 2017-09-19 02:41:00 UTC
Created attachment 1327685 [details]
screenshot of bz

Description of problem:
Please see the attached screenshot. When creating a new project through the Registry Console web ui (the + near Images by project, or '+ New project'), and after filling out the 'New Project' form, the project is created, but with the following error: 

User "<username>" cannot create namespaces at the cluster scope: User "<username>" cannot create namespaces at the cluster scope. 

A subsequent press of the 'Create' button on the New Project dialog results in an 'project.project.openshift.io "<project name>" already exists' error.

You will notice in the screenshot, that despite the displayed error, the project exists on the project list in the column to the left of the dialog.

Version-Release number of selected component (if applicable):
openshift v3.7.0-0.126.4
kubernetes v1.7.0+80709908fd

How reproducible:
Always

Steps to Reproduce:
1. Log in to the Registry Console web ui
2. Click on the 'New Project' icon, or the "images by project (+) icon, fill in the resulting form with arbitrary information.
3. Click Create

Actual results:
User "<username>" cannot create namespaces at the cluster scope: User "<username>" cannot create namespaces at the cluster scope. 

Expected results:
The project is created without error

Additional info:

Comment 1 Peter 2017-09-19 02:45:19 UTC
What groups is your user part of?

Comment 2 Yadan Pei 2017-09-19 02:47:23 UTC
Cockpit packages version:
cockpit-bridge-147-1.el7.x86_64
cockpit-kubernetes-147-1.el7.x86_64
cockpit-ws-147-1.el7.x86_64
cockpit-dashboard-148-1.el7.x86_64
cockpit-system-147-1.el7.noarch


Registy Console image:
registry-console                 v3.7                0cf29d8c42d2        3 days ago          372.8 MB

Comment 3 Peter 2017-09-19 02:50:51 UTC
*** Bug 1492937 has been marked as a duplicate of this bug. ***

Comment 4 Yadan Pei 2017-09-19 03:20:49 UTC
We should be part of system:authenticated group, it's automatically associated with all authenticated users.

Comment 5 Peter 2017-09-19 03:29:00 UTC
Right but there are also registry specific groups that give users certain privileges with the registry. registry-admin, registry-editor, registry-viewer etc.. that give users privileges here. I'd like to know if your user has any of those.

Comment 6 Yadan Pei 2017-09-19 06:22:24 UTC
Hi Peter, could you please tell me which group is specific for registry console?

Comment 7 Xingxing Xia 2017-09-19 10:15:29 UTC
Adding Priority and Severity as requested by daily test reporter.

Checked it BTW, found the compared difference:
This bug is not reproduced on env of:
openshift: v3.7.0-0.125.0 
brew-pulp.../openshift3/registry-console v3.7 713f3972a7bb  13 days ago 372.8 MB
cockpit packages: also same as comment 2

# oc get rolebinding -n <project_created_on_registry_console> # Has registry-admin
NAME                    ROLE                    USERS     GROUPS                               SERVICE ACCOUNTS   SUBJECTS
admin                   /admin                  xxia                                                              
registry-admin          /registry-admin         xxia
system:deployers        /system:deployer                                                       deployer
...

The reproducing env of comment 0 is:
openshift: shown in comment 0
registry.ops.../openshift3/registry-console: already in comment 2
cockpit packages: already in comment 2

# oc get rolebinding -n <project_created_on_registry_console> # NO registry-admin
NAME                    ROLE                    USERS     GROUPS                               SERVICE ACCOUNTS   SUBJECTS
admin                   /admin                  xxia                                                              
system:deployers        /system:deployer                                                       deployer
...

Adding Regression keyword

Comment 8 Peter 2017-09-19 23:32:56 UTC
This seems to be a regression in the API. Where we are not getting back json errors in some cases. I'll open a issue with kubernetes. and PR to work around upstream, however until the underlying issue is fixed there will probably still be some weirdness in a few places.

Comment 10 Peter 2017-09-20 14:07:02 UTC
Cockpit work around is in upstream.

Comment 11 shahan 2017-10-11 07:21:34 UTC
This bug will block OCP registry console related testing, add TestBlocker keyword.

Comment 13 Yadan Pei 2017-10-12 00:28:42 UTC
Hi Peter,

The latest version of cockpit-* packages included in OCP is still 147, we need 151 packages included to launch testing env.

Comment 14 Yadan Pei 2017-10-19 02:03:53 UTC
Hi Peter,

Do we have plan when cockpit 151 or higher version 153 will be in OCP?

Comment 18 Xingxing Xia 2017-10-30 10:34:01 UTC
The issue is not reproduced now in cockpit 151 (to see more env version info but to avoid dup, see in https://bugzilla.redhat.com/show_bug.cgi?id=1507460#c0)
Please move to ON_QA

Comment 20 Yadan Pei 2017-11-01 01:36:19 UTC
Verify the bug since has been checked on cockpit 151

Comment 24 errata-xmlrpc 2017-11-28 22:11:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188


Note You need to log in before you can comment on or make changes to this bug.