Description of problem: Viewer could not get serviceinstance resources Version-Release number of selected component (if applicable): oc v3.7.0-0.131.0 <brew-registry>/openshift3/ose-service-catalog v3.7 039b461b7213 34 hours ago 348.2 MB How reproducible: Always Steps to Reproduce: 1.User1 create project "test", provision services and create binding on web console, taking Hello World (APB) as an example $ oc get serviceinstances NAME KIND dh-ansibleplaybookbundle-hello-world-apb-latest-wkb3c ServiceInstance.v1alpha1.servicecatalog.k8s.io 2.Add user2 with view permission on his project $ oc policy add-role-to-user view user2 -n test 3.User2 login via CLI, and try "oc get serviceinstances -n test" $ oc get serviceinstances Error from server (Forbidden): User "user2" cannot list serviceinstances.servicecatalog.k8s.io in the namespace "test": User "user2" cannot list serviceinstances.servicecatalog.k8s.io in project "test" (get serviceinstances.servicecatalog.k8s.io) Actual results: 1. serviceinstance is created successfully 3. Error from server (Forbidden): User "user2" cannot list serviceinstances.servicecatalog.k8s.io in the namespace "test": User "user2" cannot list serviceinstances.servicecatalog.k8s.io in project "test" (get serviceinstances.servicecatalog.k8s.io) Expected results: 3. viewer "user2" should be able to list serviceinstances Additional info:
Related issue: https://github.com/openshift/origin/issues/16585
Since Simo was assigned 16585, assigning this bugzilla to him as well. We'll let him decide if we need to carry both issues (they seem to be the same root cause on the surface). Or reassign if I have misread things :-) CC:ing a few potentially interested parties as well.
Reassigning, this is Service Catalog territory
Paul, this is blocking acceptance of a 3.7 trello card. Can you find someone to make these changes?
This should actually be fixed in master now.
Checked on v3.7.0-0.143.3 brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/ose-service-catalog v3.7 3327e47e8acc 18 hours ago 348.2 MB 1. User "yapei" provision service successfully in project/yapei-test # oc get serviceinstance -n yapei-test NAME KIND dh-hello-world-apb-m1kqw ServiceInstance.v1alpha1.servicecatalog.k8s.io 2. Add view role to user "yapeiview" on project/yapei-test # oc get rolebinding -n yapei-test NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS view /view yapeiview 3. User "yapeiview" login and check serviceinstance # oc login --server=<server> ...... Username: yapeiview Password: Login successful. You have one project on this server: "yapei-test" Using project "yapei-test". Welcome! See 'oc help' to get started. # oc get serviceinstance Error from server (Forbidden): User "yapeiview" cannot list serviceinstances.servicecatalog.k8s.io in the namespace "yapei-test": User "yapeiview" cannot list serviceinstances.servicecatalog.k8s.io in project "yapei-test" (get serviceinstances.servicecatalog.k8s.io) The issue still reproduce, assign back
Apologies; I realize now that I have misunderstood this bug. Jeff, we will need to add code to pkg/oc/bootstrap/docker/openshift/servicecatalog.go that alters the view role to add list/get/watch permissions on serviceinstances and servicebindings.
https://github.com/openshift/origin/pull/16872
PR has been merged
Waiting for fix in bug 1506976 merged to verify this bug
Checked on v3.7.0-0.190.0 registry.reg-aws.openshift.com:443/openshift3/ose-service-catalog v3.7.0-0.190.0 2a40aff211de 16 hours ago 266 MB User with 'view' role could watch ServiceInstances on web console & CLI $ oc policy add-role-to-user view <user> -n <project> Move to VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:3188