Bug 1538732 – Broker does not respect scopes or groups of a user when determining access to run APB

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1538732 - Broker does not respect scopes or groups of a user when determining access to run APB

Summary:	Broker does not respect scopes or groups of a user when determining access to...

Status:	CLOSED ERRATA

Aliases:	None

Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Service Broker (Show other bugs)
Sub Component:
Version:	3.9.0
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	---
Target Release:	3.9.0
Assigned To:	Shawn Hurley
QA Contact:	Zhang Cheng
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2018-01-25 12:10 EST by Shawn Hurley
Modified:	2018-03-28 10:22 EDT (History)
CC List:	4 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: ASB was not passing extra scopes to the subject rules review. Consequence: The limitation of scopes to not be respected. Fix: Send scopes to subject rules review Result:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2018-03-28 10:22:32 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0489	None	None	None	2018-03-28 10:22 EDT

Groups: None (edit)

Description Shawn Hurley 2018-01-25 12:10:25 EST

Description of problem:
The broker does not take into account the groups a user is a member of when determining the permissions and will deny them even if they have access.

The broker does not take into account the scopes of a user when determining the permissions and could allow a user to execute even if they do not have full access. 


Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. Create user with no permissions but a member of a group that has admin access to the namespace
2. Provision app into the namespace
3. ASB will deny the user.

1. Create user with cluster-role admin but limit the scope to a namespace
2. Provision app into another namespace
3. ASB will allow the user to provision the app

Actual results:


Expected results:
The ASB should respect the correct permissions.

Additional info:

Comment 1 Shawn Hurley 2018-01-30 10:51:28 EST

Fixed in PRs:

https://github.com/openshift/ansible-service-broker/pull/696 for version 1.0
https://github.com/openshift/ansible-service-broker/pull/694 for version 1.1
https://github.com/openshift/ansible-service-broker/pull/693 for canary and latest version.

Comment 3 Zhang Cheng 2018-02-04 06:46:27 EST

Changing status to "MODIFIED" since downstream image not ready for test.

Comment 4 Zhang Cheng 2018-02-06 00:55:34 EST

PR #694 was merged in 1.1.9, and downstream image ready for test. Changing status to ON_QA

Comment 8 errata-xmlrpc 2018-03-28 10:22:32 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0489

Note You need to log in before you can comment on or make changes to this bug.