1493239 – service account with same perms on 2 clusters can't create projects on one

Bug 1493239 - service account with same perms on 2 clusters can't create projects on one

Summary: service account with same perms on 2 clusters can't create projects on one

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	apiserver-auth
Sub Component:
Version:	3.5.1
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Simo Sorce
QA Contact:	Chuan Yu
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-09-19 17:24 UTC by Sten Turpin
Modified:	2017-10-13 17:33 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-09-29 14:54:18 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
projectrequests perms (1.74 KB, text/plain) 2017-09-20 14:03 UTC, Sten Turpin	no flags	Details
View All

Description Sten Turpin 2017-09-19 17:24:48 UTC

Description of problem: Customer has 2 clusters configured the same. On both clusters, "oadm policy who-can create project" shows the service account as one of the allowed objects. On one cluster, the service account can create projects, on the other it can't. 


Version-Release number of selected component (if applicable): atomic-openshift-3.5.5.31-1.git.0.b6f55a2.el7.x86_64


How reproducible: Always, on this cluster with this SA


Steps to Reproduce:
1. Create a service account
2. Enable the service account to create projects
3. Create a project

Actual results:
"stderr": "Error from server (Forbidden): You may not request a new
project via this API.","stderr_lines": ["Error from server (Forbidden):
You may not request a new project via this API.

Expected results:
project created

Additional info:

Comment 2 Simo Sorce 2017-09-19 17:44:40 UTC

can you provide server logs for both the working and non working commands at the time they are executed ?

Comment 3 Simo Sorce 2017-09-19 20:33:56 UTC

Sten please report on:
oadm policy who-can create projectrequests
oadm policy who-can list projectrequests

for b oth clusters

Comment 4 Mo 2017-09-19 20:48:05 UTC

@Sten

As you can see from the output of `who-can create project`, a very small set of users can perform such actions.  The reason is that the direct creation of projects (and namespaces) is a highly privileged and controlled action.  Thus to allow a normal user to safely interact with the API, we provide the extra indirection of a `projectrequest` (this is what `oc new-project` invokes).  This is a way of stating to the API that you want a project created on your behalf.  It allows the API to fully control how the project will be created via the cluster's project template, while giving the appearance to the user that they created the project.

With this in mind, I strongly suggest that you remove the ability to directly create projects from both service accounts, and instead give them create/list on projectrequests.  If for some reason you need to directly allow the creation of projects from these SAs (and skip the project template), use the `oc adm new-project` command.

Comment 5 Sten Turpin 2017-09-20 14:03:35 UTC

Created attachment 1328449 [details]
projectrequests perms

Comment 6 Simo Sorce 2017-09-29 14:54:18 UTC

It seem it was a custom configuration issue after all, closing as not a bug

Note You need to log in before you can comment on or make changes to this bug.