Description of problem: If a user doesn't own the project, just have view and a customized role with create/delete/get/list serviceinstance right, after provison to this project, this user cannot see created resources. But can see immediately with oc. Version-Release number of selected component (if applicable): openshift v3.7.0-0.178.1 penshift3/ose-service-catalog v3.7 9aedf32020c2 How reproducible: Always Steps to Reproduce: 1. Setup OCP env with TSB enabled in ansible installation 2. Prepare two users, like A and B 3. Create a project test-tsb with user A 4. Add view role to user B on project test-tsb 5. Create a role with below json { "kind": "Role", "apiVersion": "rbac.authorization.k8s.io/v1beta1", "metadata": { "name": "tsb-test-new" }, "rules": [ { "verbs": [ "get", "list", "create", "delete" ], "resources": [ "serviceinstances" ], "apiGroups": [ "servicecatalog.k8s.io" ] }, { "verbs": [ "get", "delete", "list", "watch", "create", "update" ], "resources": [ "secrets" ], "apiGroups": [ "" ] } ] } 6. Add this role to user B on project test-tsb 7. Log into webconsle with user B 8. Provison a template to project test-tsb WHO provision the template? A or B? 9. Check the provisoned resource and refresh to several minutes 10.Log in with user B via oc 11.oc get serviceinstance Actual results: 9.Nothing displays 11.serviceinstance can display immediately. Expected results: 9. should display serviceinstance like provision in owned project Additional info:
Below senario also has met this issue. UserA has view role to project C which owned by userB.Then userA can't see provision resources in projectC in web console.
This is either a security bug or a web console bug. I don't think it's likely specific to the service catalog resources (though it may be specific to the service catalog flows through the web console). Going to start it w/ the web console and let them take it from there, but adding Paul Morie just in case.
I can't reproduce. I see this error when I try to provision: Error MariaDB (Persistent) failed to provision in roles. Error provisioning ServiceInstance of ClusterServiceClass (K8S: "f1541bee-bb26-11e7-b4f6-ba7715b40875" ExternalName: "mariadb-persistent") at ClusterServiceBroker "template-service-broker": Status: 403; ErrorMessage: <nil>; Description: templateinstances.template.openshift.io "0ef3e752-551e-4414-998c-4f6073e414b3" is forbidden: User "tsb-test" cannot create templateinstances.template.openshift.io in project "roles"; ResponseError: <nil> When I go to the project overview, I see the provisioned service immediately, however.
Created attachment 1344522 [details] Provisioned service is visible immediately The provision failed, but I can see the service immediately.
I am running cluster up, however, so this might be specific to the catalog installed via the ansible installation
We check if the user can watch serviceinstances. It looks like the view role cannot watch serviceinstances in an ansible install. https://github.com/openshift/origin-web-console/blob/master/app/scripts/controllers/overview.js#L1341
Matthew- It looks like the view roles need to be updated in the installer, similar to https://github.com/openshift/origin/pull/16872 . Would you take a look?
I am somewhat confused about what we want to do with this bug. As far as I can tell, the issue is that the role created in the Step 5 requires "watch" permissions for ServiceInstances, because the web console verfies that the user has the "watch" permission before fetching the ServiceInstances. So, which of the following is the underlying issue here that needs to be addressed? 1) The steps to set up the role for the other user are missing the "watch" permission. 2) The user should not have to add a special service catalog role to give another user permission. The permissions should be included automatically as part of the view role on the project. 3) The web console should not rely on the user having "watch" permission on ServiceInstances.
A user with View permission on a project should have watch on service instances. The View role is not getting updated correctly by the ansible installer.
Fixed by https://github.com/openshift/openshift-ansible/pull/5938
Verified with below version: openshift v3.7.0-0.190.0 kubernetes v1.7.6+a08f5eeb62 etcd 3.2.8 Can create serviceinstance and see it immediately in web console with steps in description.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:3188