1507598 – Ordinary users are not able to update ServiceInstance

Bug 1507598 - Ordinary users are not able to update ServiceInstance

Summary: Ordinary users are not able to update ServiceInstance

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Service Broker
Sub Component:
Version:	3.7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	3.7.0
Assignee:	Matthew Staebler
QA Contact:	Qixuan Wang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-10-30 16:45 UTC by Qixuan Wang
Modified:	2017-11-28 22:20 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:	undefined
Clone Of:
Environment:
Last Closed:	2017-11-28 22:20:01 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:3188	0	normal	SHIPPED_LIVE	Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update	2017-11-29 02:34:54 UTC

Description Qixuan Wang 2017-10-30 16:45:22 UTC

Description of problem:
Ordinary users are not able to update ServiceInstance by command "oc edit serviceinstance". 


Version-Release number of selected component (if applicable):
openshift v3.7.0-0.184.0
kubernetes v1.7.6+a08f5eeb62
etcd 3.2.8
ose-service-catalog   v3.7.0-0.185.0.0
ose-ansible-service-broker   v3.7.0-0.185.0.0


How reproducible:
Always


Steps to Reproduce:
1. login using a user that doesn't have the system:admin role.
2. Provision a ServiceInstance.
3. Update the ServiceInstance.
# oc edit serviceinstance xxx


Actual results:
3. # oc edit serviceinstance dh-rhscl-postgresql-apb-qnbkz

error: serviceinstances "dh-rhscl-postgresql-apb-qnbkz" could not be patched: User "qwang1" cannot patch serviceinstances.servicecatalog.k8s.io in the namespace "qwang11": User "qwang1" cannot "patch" "serviceinstances.servicecatalog.k8s.io" with name "dh-rhscl-postgresql-apb-qnbkz" in project "qwang11" (patch serviceinstances.servicecatalog.k8s.io dh-rhscl-postgresql-apb-qnbkz)


Expected results:
3. ServiceInstance is not a cluster level resource, ordinary users can provision/deprovision it, they should edit it too.


Additional info:

Comment 1 Paul Morie 2017-10-30 17:52:42 UTC

Can you clarify whether this cluster was created with oc cluster up, or the ansible installer?

Comment 3 Jeff Peeler 2017-11-01 17:42:12 UTC

This is for "oc cluster up": https://github.com/openshift/origin/pull/17134

Will update bug status once ansible portion is verified.

Comment 4 Matthew Staebler 2017-11-01 18:09:37 UTC

https://github.com/openshift/openshift-ansible/pull/5977

Comment 6 Qixuan Wang 2017-11-07 09:07:03 UTC

Tested on OCP(openshift v3.7.0-0.196.0, kubernetes v1.7.6+a08f5eeb62, etcd 3.2.8, brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/ose-service-catalog:v3.7.0-0.196.0.0, brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/ose-ansible-service-broker:v3.7.0-0.196.0.0)

The bug verification is blocked by this: https://bugzilla.redhat.com/show_bug.cgi?id=1509558

Here is the test result:
[root@qwang_laptop qwang]# oc get pod
NAME                 READY     STATUS    RESTARTS   AGE
postgresql-1-jfd2b   1/1       Running   0          9m

[root@qwang_laptop qwang]# oc get serviceinstance
NAME                            KIND
rh-rhscl-postgresql-apb-r5p4c   ServiceInstance.v1beta1.servicecatalog.k8s.io

[root@qwang_laptop qwang]# oc edit serviceinstance rh-rhscl-postgresql-apb-r5p4c
the provided version "servicecatalog.k8s.io/v1beta1" has no relevant versions: group servicecatalog.k8s.io has not been registered
no matches for servicecatalog.k8s.io/, Kind=ServiceInstance

Comment 7 Qixuan Wang 2017-11-07 10:02:45 UTC

Sorry, with oc v3.7.0-0.196.0, the bug has been fixed, thanks. Ignore comment 6 please.

[root@qwang_laptop qwang]# oc edit serviceinstance rh-rhscl-postgresql-apb-r5p4c
serviceinstance "rh-rhscl-postgresql-apb-r5p4c" edited

Comment 10 errata-xmlrpc 2017-11-28 22:20:01 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188

Note You need to log in before you can comment on or make changes to this bug.