Description of problem: - According to below doc, it shows that the hostname can not be modified after created https://access.redhat.com/documentation/en-us/openshift_container_platform/3.6/html-single/cluster_administration/#admin-guide-disabling-hostname-collision - However, when I login with cluster-admin user, I can use "$oc edit route" to change the hostname and it will be updated successfully. - I do know the permission of this cluster role is high, but this can not be repro when use web console. - I can't repro this via a user only bind a project admin role. Version-Release number of selected component (if applicable): currently, 3.6 only How reproducible: 1. create a route for a service 2. oc login with a user bind to a cluster-admins 3. use "oc edit route <xxxx>" and modify the hostname, then save and quit 4. the info of route will be successfully updated. ex. login with the same user from web console , point to the page of route , it will always shows "can't modify" ex2. login with a non-cluster-admin user but admin of the project, do same thing as step 3, you will get below error: error: routes "xxxxxxxx" is invalid # Please edit the object below. Lines beginning with a '#' will be ignored, # and an empty file will abort the edit. If an error occurs while saving this file will be # reopened with the relevant failures. # # routes "xxxxxxxxx" was not valid: # * spec.host: Invalid value: "xxxxxxxxxx.cloudapp.example.com": field is immutable Actual results: - the route can be modified and this is dis-match the info in our doc Expected results: - Please help to check if this is a known issue and need to be fixed - The customer doubt this is a security risk - If this is by design , we need a official doc to share to customer - If this is by design, i think it will be better to add some description in the doc Many thanks to you.
It is correct that a cluster administrator is able to modify the host name on an existing route. This is because the ability to modify a route's host name is conferred by having access to the "update" verb on the "routes/custom-host" resource (added in 3.6: <https://github.com/openshift/origin/pull/13905>; thanks Ben for pointing this out!), and the cluster-admin role grants "update" access to all resources. This is therefore an error in the documentation, and so I am re-assigning this report to the "Documentation" component. I have made a PR to change the documentation to state explicitly that the cluster administrator can edit the host name on an existing route, and also to document how to grant other users the same ability. PR: https://github.com/openshift/openshift-docs/pull/7398
(In reply to Miciah Dashiel Butler Masters from comment #2) > It is correct that a cluster administrator is able to modify the host name > on an existing route. This is because the ability to modify a route's host > name is conferred by having access to the "update" verb on the > "routes/custom-host" resource (added in 3.6: > <https://github.com/openshift/origin/pull/13905>; thanks Ben for pointing > this out!), and the cluster-admin role grants "update" access to all > resources. > > This is therefore an error in the documentation, and so I am re-assigning > this report to the "Documentation" component. > > I have made a PR to change the documentation to state explicitly that the > cluster administrator can edit the host name on an existing route, and also > to document how to grant other users the same ability. > > PR: https://github.com/openshift/openshift-docs/pull/7398 Hi, thank you for your feedback, but I still have only one question: why we can't modify hostname from Web Console ? even through i login with cluster-admin user. Looking forward to your reply, thank you. Regards Wangzhida
Commit pushed to master at https://github.com/openshift/openshift-docs https://github.com/openshift/openshift-docs/commit/4e7bc64dc24e481e94109819305b06421d0dc898 managing_networking: Document routes/custom-host Change the heading "Disabling Host Name Collision Prevention For Ingress Objects" read "Routes and Ingress Objects" because the section discusses both routes and ingresses. Reorder the text to first state what host name collision prevention is, then its purpose, and then how to disable it. Explicitly state that the cluster administrator can edit the host name on an existing route. Document how to disable host name collision prevention for routes. Add a "WARNING" marker to the text that explains about host name hijacking. This commit fixes bug 1536340. https://bugzilla.redhat.com/show_bug.cgi?id=1536340
Sorry, Zhida, I missed what you said in comment 3 till Brice pointed it out to me. I tried to reproduce the problem you reported. It looks like the management console reports a successful update but silently drops all edits to the route host. I reported the exact behavior that I saw as bug 1540783. Can you confirm that this is the same problem that you saw?
(In reply to Miciah Dashiel Butler Masters from comment #5) > Sorry, Zhida, I missed what you said in comment 3 till Brice pointed it out > to me. I tried to reproduce the problem you reported. It looks like the > management console reports a successful update but silently drops all edits > to the route host. I reported the exact behavior that I saw as bug 1540783. > Can you confirm that this is the same problem that you saw? Hi, When I login Mgt Console using cluster-admin , point to "route" and click "edit" the page will always show: "The hostname can't be changed after the route is created " and I can't modify the blank of "hostname". However I just found if I use "edit YAML" I can successfully update the hostname , this is match the result when using $oc edit route. As a compare, the regular users will get below error on the top of the page when edit YAML Failed to process the resource. Reason: Route "xxxxxx" is invalid: spec.host: Invalid value: "xxxxxx.cloudapp.example.com": field is immutable My env: OCP3.6 Thanks.
The docs PR above has merged, so I'm going to close this BZ. Feel free to continue the conversation, here or in 1540783. If there's anything more for this, please let me know and we can do a followup PR for the docs. Here's a link to the released docs: https://access.redhat.com/documentation/en-us/openshift_container_platform/3.7/html-single/cluster_administration/#admin-guide-disabling-hostname-collision