Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1529447

Summary: Normal user `oc explain resource` shows "Error from server (Forbidden): unknown"
Product: OpenShift Container Platform Reporter: Xingxing Xia <xxia>
Component: ocAssignee: Juan Vallejo <jvallejo>
Status: CLOSED CURRENTRELEASE QA Contact: Xingxing Xia <xxia>
Severity: low Docs Contact:
Priority: medium    
Version: 3.9.0CC: aos-bugs, ccoleman, deads, jliggitt, jokerman, mmccomas, smunilla, xxia
Target Milestone: ---Keywords: Regression
Target Release: 3.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: v3.9.0-0.24.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-13 20:22:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Xingxing Xia 2017-12-28 06:56:25 UTC 
Description of problem:
Normal user `oc explain resource` shows "Error from server (Forbidden): unknown".
Cluster admin can run it successfully

Version-Release number of selected component (if applicable):
oc/OCP v3.9.0-0.9.0
Test with oc/OCP v3.9.0-0.8.0 does not reproduce.

How reproducible:
Always

Steps to Reproduce:
1. oc login to server
2. oc explain pod
oc explain bc
3. Check --loglevel 6 info
oc explain pod --loglevel 6

Actual results:
2. Shows "Error from server (Forbidden): unknown"
3. Shows:
I1228 01:36:21.447220   95638 loader.go:357] Config loaded from file /home/xxia/.kube/config
I1228 01:36:21.511220   95638 round_trippers.go:436] GET https://MASTER:8443/swagger-2.0.0.pb-v1 403 Forbidden in 36 milliseconds
I1228 01:36:21.511602   95638 helpers.go:201] server response object: [{
  "metadata": {},
  "status": "Failure",
  "message": "unknown",
  "reason": "Forbidden",
  "details": {
    "causes": [
      {
        "reason": "UnexpectedServerResponse",
        "message": "unknown"
      }
    ]
  },
  "code": 403
}]
F1228 01:36:21.511991   95638 helpers.go:119] Error from server (Forbidden): unknown

Expected results:
2. Should explain resource as before:
DESCRIPTION:
     Pod is a collection of containers that can run on a host. This resource is
     created by clients and scheduled onto hosts.

FIELDS:
   apiVersion    <string>
...

Additional info:
Comment 1 Juan Vallejo 2018-01-12 22:16:24 UTC 
We recently switched from using the /swaggerapi endpoint, to `/swagger-2.0.0...` as part of a switch to use the OpenAPI schema.

Permissions to access the openapi endpoint were fixed upstream in https://github.com/kubernetes/kubernetes/pull/53359 and were brought into Origin in the 1.9.0 beta.1 rebase https://github.com/openshift/origin/pull/17576

I believe you might be hitting a cluster that has not been updated with this patch yet.

What I do find strange is that you are getting an "unknown" message back from the server rather than the expected 'User "..." cannot "get" on "/swagger-2.0.0.pb-v1"'.

Please let me know if you are still hitting this error against the latest (or fairly recent) version of the server.

Lowering severity for the time being.

@Jordan I'm wondering if it'd be worth picking https://github.com/kubernetes/kubernetes/pull/53359 into previous Origin releases?
Comment 2 Jordan Liggitt 2018-01-12 22:35:57 UTC 
opened https://github.com/openshift/origin/pull/18105 for 3.8
Comment 3 Xingxing Xia 2018-01-15 05:59:09 UTC 
Checked with latest oc/OCP v3.9.0-0.19.0, now normal user can get explanation via like `oc explain pod`, `oc explain svc.spec`.
However, some cannot work:
$ oc explain bc
error: Couldn't find resource for "/v1, Kind=BuildConfig"
$ oc explain dc
error: Couldn't find resource for "/v1, Kind=DeploymentConfig"
Comment 4 Juan Vallejo 2018-01-15 16:09:23 UTC 
Currently taking a look at an open github issue to address this: https://github.com/openshift/origin/issues/17766
Comment 5 Juan Vallejo 2018-01-22 15:16:28 UTC 
Origin PR: https://github.com/openshift/origin/pull/18157
Comment 6 Xingxing Xia 2018-01-24 08:15:24 UTC 
PR is not in latest available v3.9.0-0.23.0. Waiting for next available OCP puddle to verify it. Will also verify with '--api-version'
Comment 7 Xingxing Xia 2018-01-24 08:20:11 UTC 
*** Bug 1536845 has been marked as a duplicate of this bug. ***
Comment 8 Xingxing Xia 2018-01-26 07:21:59 UTC 
Checked in v3.9.0-0.24.0, now all below commands can return explanation successfully
oc explain bc
oc explain job --api-version=batch/v1
oc explain is.spec --api-version=image.openshift.io/v1