Bug 1536340 - [DOCS] cluster-admins can modify route via CLI
Summary: [DOCS] cluster-admins can modify route via CLI
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 3.6.0
Hardware: All
OS: Linux
unspecified
urgent
Target Milestone: ---
: ---
Assignee: brice
QA Contact: Meng Bo
Vikram Goyal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-19 07:56 UTC by wangzhida
Modified: 2021-03-11 16:58 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1540783 (view as bug list)
Environment:
Last Closed: 2018-02-19 04:00:16 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description wangzhida 2018-01-19 07:56:55 UTC
Description of problem:
- According to below doc, it shows that the hostname can not be modified after created
https://access.redhat.com/documentation/en-us/openshift_container_platform/3.6/html-single/cluster_administration/#admin-guide-disabling-hostname-collision
- However, when I login with cluster-admin user, I can use "$oc edit route" to change the hostname and it will be updated successfully.
- I do know the permission of this cluster role is high, but this can not be repro when use web console.
- I can't repro this via a user only bind a project admin role.

Version-Release number of selected component (if applicable):
currently, 3.6 only


How reproducible:
1. create a route for a service
2. oc login with a user bind to a cluster-admins
3. use "oc edit route <xxxx>" and modify the hostname, then save and quit
4. the info of route will be successfully updated.

ex. login with the same user from web console , point to the page of route , it will always shows "can't modify"

ex2. login with a non-cluster-admin user but admin of the project, do same thing as step 3, you will get below error:

error: routes "xxxxxxxx" is invalid

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
# routes "xxxxxxxxx" was not valid:
# * spec.host: Invalid value: "xxxxxxxxxx.cloudapp.example.com": field is immutable


Actual results:
- the route can be modified and this is dis-match the info in our doc

Expected results:
- Please help to check if this is a known issue and need to be fixed
- The customer doubt this is a security risk
- If this is by design , we need a official doc to share to customer
- If this is by design, i think it will be better to add some description in the doc


Many thanks to you.

Comment 2 Miciah Dashiel Butler Masters 2018-01-29 22:12:16 UTC
It is correct that a cluster administrator is able to modify the host name on an existing route.  This is because the ability to modify a route's host name is conferred by having access to the "update" verb on the "routes/custom-host" resource (added in 3.6: <https://github.com/openshift/origin/pull/13905>; thanks Ben for pointing this out!), and the cluster-admin role grants "update" access to all resources.

This is therefore an error in the documentation, and so I am re-assigning this report to the "Documentation" component.

I have made a PR to change the documentation to state explicitly that the cluster administrator can edit the host name on an existing route, and also to document how to grant other users the same ability.

PR: https://github.com/openshift/openshift-docs/pull/7398

Comment 3 wangzhida 2018-01-30 07:03:18 UTC
(In reply to Miciah Dashiel Butler Masters from comment #2)
> It is correct that a cluster administrator is able to modify the host name
> on an existing route.  This is because the ability to modify a route's host
> name is conferred by having access to the "update" verb on the
> "routes/custom-host" resource (added in 3.6:
> <https://github.com/openshift/origin/pull/13905>; thanks Ben for pointing
> this out!), and the cluster-admin role grants "update" access to all
> resources.
> 
> This is therefore an error in the documentation, and so I am re-assigning
> this report to the "Documentation" component.
> 
> I have made a PR to change the documentation to state explicitly that the
> cluster administrator can edit the host name on an existing route, and also
> to document how to grant other users the same ability.
> 
> PR: https://github.com/openshift/openshift-docs/pull/7398

Hi, thank you for your feedback, but I still have only one question: why we can't modify hostname from Web Console ? even through i login with cluster-admin user. 

Looking forward to your reply, thank you.


Regards
Wangzhida

Comment 4 openshift-github-bot 2018-02-01 00:30:46 UTC
Commit pushed to master at https://github.com/openshift/openshift-docs

https://github.com/openshift/openshift-docs/commit/4e7bc64dc24e481e94109819305b06421d0dc898
managing_networking: Document routes/custom-host

Change the heading "Disabling Host Name Collision Prevention For Ingress
Objects" read "Routes and Ingress Objects" because the section discusses
both routes and ingresses.

Reorder the text to first state what host name collision prevention is,
then its purpose, and then how to disable it.

Explicitly state that the cluster administrator can edit the host name on
an existing route.

Document how to disable host name collision prevention for routes.

Add a "WARNING" marker to the text that explains about host name hijacking.

This commit fixes bug 1536340.

https://bugzilla.redhat.com/show_bug.cgi?id=1536340

Comment 5 Miciah Dashiel Butler Masters 2018-02-01 01:41:20 UTC
Sorry, Zhida, I missed what you said in comment 3 till Brice pointed it out to me.  I tried to reproduce the problem you reported.  It looks like the management console reports a successful update but silently drops all edits to the route host.  I reported the exact behavior that I saw as bug 1540783.  Can you confirm that this is the same problem that you saw?

Comment 6 wangzhida 2018-02-01 02:41:21 UTC
(In reply to Miciah Dashiel Butler Masters from comment #5)
> Sorry, Zhida, I missed what you said in comment 3 till Brice pointed it out
> to me.  I tried to reproduce the problem you reported.  It looks like the
> management console reports a successful update but silently drops all edits
> to the route host.  I reported the exact behavior that I saw as bug 1540783.
> Can you confirm that this is the same problem that you saw?


Hi,

When I login Mgt Console using cluster-admin , point to "route" and click "edit" the page will always show: "The hostname can't be changed after the route is created " and I can't modify the blank of "hostname". However I just found if I use "edit YAML" I can successfully update the hostname , this is match the result when using $oc edit route. As a compare, the regular users will get below error on the top of the page when edit YAML

Failed to process the resource.
Reason: Route "xxxxxx" is invalid: spec.host: Invalid value: "xxxxxx.cloudapp.example.com": field is immutable


My env: OCP3.6


Thanks.

Comment 7 brice 2018-02-19 04:00:16 UTC
The docs PR above has merged, so I'm going to close this BZ. Feel free to continue the conversation, here or in 1540783.

If there's anything more for this, please let me know and we can do a followup PR for the docs.

Here's a link to the released docs:

https://access.redhat.com/documentation/en-us/openshift_container_platform/3.7/html-single/cluster_administration/#admin-guide-disabling-hostname-collision


Note You need to log in before you can comment on or make changes to this bug.