Description of problem: The broker does not take into account the groups a user is a member of when determining the permissions and will deny them even if they have access. The broker does not take into account the scopes of a user when determining the permissions and could allow a user to execute even if they do not have full access. Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. Create user with no permissions but a member of a group that has admin access to the namespace 2. Provision app into the namespace 3. ASB will deny the user. 1. Create user with cluster-role admin but limit the scope to a namespace 2. Provision app into another namespace 3. ASB will allow the user to provision the app Actual results: Expected results: The ASB should respect the correct permissions. Additional info:
Fixed in PRs: https://github.com/openshift/ansible-service-broker/pull/696 for version 1.0 https://github.com/openshift/ansible-service-broker/pull/694 for version 1.1 https://github.com/openshift/ansible-service-broker/pull/693 for canary and latest version.
Changing status to "MODIFIED" since downstream image not ready for test.
PR #694 was merged in 1.1.9, and downstream image ready for test. Changing status to ON_QA
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0489