Bug 1506976 – [TSB] Cannot see resources in webconsole after provision a template to an un-owned project which only have view and create/list/get/delete serviceinstance role granted

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1506976 - [TSB] Cannot see resources in webconsole after provision a template to an un-owned project which only have view and create/list/get/delete serviceinstance role granted

Summary:	[TSB] Cannot see resources in webconsole after provision a template to an un-...

Status:	CLOSED ERRATA

Aliases:	None

Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Service Broker (Show other bugs)
Sub Component:
Version:	3.7.0
Hardware:	Unspecified Unspecified

Priority	medium Severity medium
Target Milestone:	---
Target Release:	3.7.0
Assigned To:	Matthew Staebler
QA Contact:	Wenjing Zheng
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2017-10-27 06:11 EDT by Wenjing Zheng
Modified:	2017-11-28 17:20 EST (History)
CC List:	9 users (show)

See Also:
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:	undefined
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-11-28 17:20:01 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Provisioned service is visible immediately (163.19 KB, image/png) 2017-10-27 16:12 EDT, Samuel Padgett	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:3188	normal	SHIPPED_LIVE	Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update	2017-11-28 21:34:54 EST

Groups: None (edit)

Description Wenjing Zheng 2017-10-27 06:11:39 EDT

Description of problem:
If a user doesn't own the project, just have view and a customized role with create/delete/get/list serviceinstance right, after provison to this project, this user cannot see created resources. But can see immediately with oc.

Version-Release number of selected component (if applicable):
openshift v3.7.0-0.178.1
penshift3/ose-service-catalog              v3.7                9aedf32020c2

How reproducible:
Always

Steps to Reproduce:
1. Setup OCP env with TSB enabled in ansible installation
2. Prepare two users, like A and B
3. Create a project test-tsb with user A
4. Add view role to user B on project test-tsb
5. Create a role with below json
{
  "kind": "Role",
  "apiVersion": "rbac.authorization.k8s.io/v1beta1",
  "metadata": {
    "name": "tsb-test-new"
    },
  "rules": [
    {
      "verbs": [
        "get",
        "list",
        "create",
        "delete"
        
      ],
   "resources": [
     "serviceinstances"
     ],
   "apiGroups": [
      "servicecatalog.k8s.io"
    ]
   },
   {
   "verbs": [
     "get",
     "delete",
     "list",
     "watch",
     "create",
     "update"
     ],
     "resources": [
       "secrets"
       ],
     "apiGroups": [
        ""
      ]
     }
   ]
}
6. Add this role to user B on project test-tsb
7. Log into webconsle with user B
8. Provison a template to project test-tsb WHO provision the template? A or B?
9. Check the provisoned resource and refresh to several minutes
10.Log in with user B via oc
11.oc get serviceinstance


Actual results:
9.Nothing displays
11.serviceinstance can display immediately.


Expected results:
9. should display serviceinstance like provision in owned project

Additional info:

Comment 1 XiuJuan Wang 2017-10-27 06:17:50 EDT

Below senario also has met this issue.
UserA has view role to project C which owned by userB.Then userA can't see provision resources in projectC in web console.

Comment 3 Ben Parees 2017-10-27 15:33:12 EDT

This is either a security bug or a web console bug.  I don't think it's likely specific to the service catalog resources (though it may be specific to the service catalog flows through the web console).

Going to start it w/ the web console and let them take it from there, but adding Paul Morie just in case.

Comment 4 Samuel Padgett 2017-10-27 16:11:50 EDT

I can't reproduce. I see this error when I try to provision:

Error
MariaDB (Persistent) failed to provision in roles.
Error provisioning ServiceInstance of ClusterServiceClass (K8S: "f1541bee-bb26-11e7-b4f6-ba7715b40875" ExternalName: "mariadb-persistent") at ClusterServiceBroker "template-service-broker": Status: 403; ErrorMessage: <nil>; Description: templateinstances.template.openshift.io "0ef3e752-551e-4414-998c-4f6073e414b3" is forbidden: User "tsb-test" cannot create templateinstances.template.openshift.io in project "roles"; ResponseError: <nil>

When I go to the project overview, I see the provisioned service immediately, however.

Comment 5 Samuel Padgett 2017-10-27 16:12 EDT

Created attachment 1344522 [details]
Provisioned service is visible immediately

The provision failed, but I can see the service immediately.

Comment 6 Samuel Padgett 2017-10-27 16:14:25 EDT

I am running cluster up, however, so this might be specific to the catalog installed via the ansible installation

Comment 7 Samuel Padgett 2017-10-27 16:20:54 EDT

We check if the user can watch serviceinstances. It looks like the view role cannot watch serviceinstances in an ansible install.

https://github.com/openshift/origin-web-console/blob/master/app/scripts/controllers/overview.js#L1341

Comment 8 Paul Morie 2017-10-30 11:43:09 EDT

Matthew-

It looks like the view roles need to be updated in the installer, similar to https://github.com/openshift/origin/pull/16872 . Would you take a look?

Comment 9 Matthew Staebler 2017-10-30 12:34:22 EDT

I am somewhat confused about what we want to do with this bug. As far as I can tell, the issue is that the role created in the Step 5 requires "watch" permissions for ServiceInstances, because the web console verfies that the user has the "watch" permission before fetching the ServiceInstances.

So, which of the following is the underlying issue here that needs to be addressed?
1) The steps to set up the role for the other user are missing the "watch" permission.
2) The user should not have to add a special service catalog role to give another user permission. The permissions should be included automatically as part of the view role on the project.
3) The web console should not rely on the user having "watch" permission on ServiceInstances.

Comment 10 Jessica Forrester 2017-10-30 14:30:24 EDT

A user with View permission on a project should have watch on service instances. The View role is not getting updated correctly by the ansible installer.

Comment 11 Matthew Staebler 2017-10-30 16:11:24 EDT

Fixed by https://github.com/openshift/openshift-ansible/pull/5938

Comment 13 Wenjing Zheng 2017-11-03 02:11:49 EDT

Verified with below version:
openshift v3.7.0-0.190.0
kubernetes v1.7.6+a08f5eeb62
etcd 3.2.8

Can create serviceinstance and see it immediately in web console with steps in description.

Comment 16 errata-xmlrpc 2017-11-28 17:20:01 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188

Note You need to log in before you can comment on or make changes to this bug.