1492935 – Registry console error on project creation, allows project to be created regardless

Bug 1492935 - Registry console error on project creation, allows project to be created regardless

Summary: Registry console error on project creation, allows project to be created rega...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Registry Console
Sub Component:
Version:	3.7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Peter
QA Contact:	Yadan Pei
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1492937 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-09-19 02:41 UTC by Chris Ryan
Modified:	2017-11-28 22:11 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-11-28 22:11:25 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
screenshot of bz (44.79 KB, image/png) 2017-09-19 02:41 UTC, Chris Ryan	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:3188	0	normal	SHIPPED_LIVE	Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update	2017-11-29 02:34:54 UTC

Description Chris Ryan 2017-09-19 02:41:00 UTC

Created attachment 1327685 [details]
screenshot of bz

Description of problem:
Please see the attached screenshot. When creating a new project through the Registry Console web ui (the + near Images by project, or '+ New project'), and after filling out the 'New Project' form, the project is created, but with the following error: 

User "<username>" cannot create namespaces at the cluster scope: User "<username>" cannot create namespaces at the cluster scope. 

A subsequent press of the 'Create' button on the New Project dialog results in an 'project.project.openshift.io "<project name>" already exists' error.

You will notice in the screenshot, that despite the displayed error, the project exists on the project list in the column to the left of the dialog.

Version-Release number of selected component (if applicable):
openshift v3.7.0-0.126.4
kubernetes v1.7.0+80709908fd

How reproducible:
Always

Steps to Reproduce:
1. Log in to the Registry Console web ui
2. Click on the 'New Project' icon, or the "images by project (+) icon, fill in the resulting form with arbitrary information.
3. Click Create

Actual results:
User "<username>" cannot create namespaces at the cluster scope: User "<username>" cannot create namespaces at the cluster scope. 

Expected results:
The project is created without error

Additional info:

Comment 1 Peter 2017-09-19 02:45:19 UTC

What groups is your user part of?

Comment 2 Yadan Pei 2017-09-19 02:47:23 UTC

Cockpit packages version:
cockpit-bridge-147-1.el7.x86_64
cockpit-kubernetes-147-1.el7.x86_64
cockpit-ws-147-1.el7.x86_64
cockpit-dashboard-148-1.el7.x86_64
cockpit-system-147-1.el7.noarch


Registy Console image:
registry-console                 v3.7                0cf29d8c42d2        3 days ago          372.8 MB

Comment 3 Peter 2017-09-19 02:50:51 UTC

*** Bug 1492937 has been marked as a duplicate of this bug. ***

Comment 4 Yadan Pei 2017-09-19 03:20:49 UTC

We should be part of system:authenticated group, it's automatically associated with all authenticated users.

Comment 5 Peter 2017-09-19 03:29:00 UTC

Right but there are also registry specific groups that give users certain privileges with the registry. registry-admin, registry-editor, registry-viewer etc.. that give users privileges here. I'd like to know if your user has any of those.

Comment 6 Yadan Pei 2017-09-19 06:22:24 UTC

Hi Peter, could you please tell me which group is specific for registry console?

Comment 7 Xingxing Xia 2017-09-19 10:15:29 UTC

Adding Priority and Severity as requested by daily test reporter.

Checked it BTW, found the compared difference:
This bug is not reproduced on env of:
openshift: v3.7.0-0.125.0 
brew-pulp.../openshift3/registry-console v3.7 713f3972a7bb  13 days ago 372.8 MB
cockpit packages: also same as comment 2

# oc get rolebinding -n <project_created_on_registry_console> # Has registry-admin
NAME                    ROLE                    USERS     GROUPS                               SERVICE ACCOUNTS   SUBJECTS
admin                   /admin                  xxia                                                              
registry-admin          /registry-admin         xxia
system:deployers        /system:deployer                                                       deployer
...

The reproducing env of comment 0 is:
openshift: shown in comment 0
registry.ops.../openshift3/registry-console: already in comment 2
cockpit packages: already in comment 2

# oc get rolebinding -n <project_created_on_registry_console> # NO registry-admin
NAME                    ROLE                    USERS     GROUPS                               SERVICE ACCOUNTS   SUBJECTS
admin                   /admin                  xxia                                                              
system:deployers        /system:deployer                                                       deployer
...

Adding Regression keyword

Comment 8 Peter 2017-09-19 23:32:56 UTC

This seems to be a regression in the API. Where we are not getting back json errors in some cases. I'll open a issue with kubernetes. and PR to work around upstream, however until the underlying issue is fixed there will probably still be some weirdness in a few places.

Comment 9 Peter 2017-09-20 00:13:12 UTC

Opened https://github.com/kubernetes/kubernetes/issues/52754 and https://github.com/cockpit-project/cockpit/pull/7715

Comment 10 Peter 2017-09-20 14:07:02 UTC

Cockpit work around is in upstream.

Comment 11 shahan 2017-10-11 07:21:34 UTC

This bug will block OCP registry console related testing, add TestBlocker keyword.

Comment 13 Yadan Pei 2017-10-12 00:28:42 UTC

Hi Peter,

The latest version of cockpit-* packages included in OCP is still 147, we need 151 packages included to launch testing env.

Comment 14 Yadan Pei 2017-10-19 02:03:53 UTC

Hi Peter,

Do we have plan when cockpit 151 or higher version 153 will be in OCP?

Comment 18 Xingxing Xia 2017-10-30 10:34:01 UTC

The issue is not reproduced now in cockpit 151 (to see more env version info but to avoid dup, see in https://bugzilla.redhat.com/show_bug.cgi?id=1507460#c0)
Please move to ON_QA

Comment 20 Yadan Pei 2017-11-01 01:36:19 UTC

Verify the bug since has been checked on cockpit 151

Comment 24 errata-xmlrpc 2017-11-28 22:11:25 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188

Note You need to log in before you can comment on or make changes to this bug.