Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1541461

Summary: ASB should honor scopes outside of UserInfo.Extra
Product: OpenShift Container Platform Reporter: Mo <mkhan>
Component: Service BrokerAssignee: Shawn Hurley <shurley>
Status: CLOSED ERRATA QA Contact: Zhang Cheng <chezhang>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.9.0CC: aos-bugs, dzager, jmatthew, wjiang
Target Milestone: ---   
Target Release: 3.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: ASB was not passing extra scopes to the subject rules review. Consequence: The limitation of scopes to not be respected. Fix: Send scopes to subject rules review Result:
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-28 14:25:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mo 2018-02-02 16:06:24 UTC 
Description of problem:

Followup from [1].

Due to a bug in how the service catalog encodes the extra information with the X-Broker-API-Originating-Identity header [2], it is currently possible for OpenShift to pass scoped information to the service catalog which is then lost when the ASB parses it.  While the bug in SC has been fixed [3], it is possible that the ASB will be running against a buggy version of the SC for some time.  Thus, the ASB should check for scopes in both in the outer JSON object as well as the Extra object.

Version-Release number of selected component (if applicable):
?

How reproducible:
Always

Steps to Reproduce:
1. Use a buggy version of SC with the ASB
2. Send a scoped request to the SC / ASB (any scope that limits the action such as user:info)

Actual results:
The scope is ignored and the request is authorized.

Expected results:
The scope is not ignored and the request is not authorized.


Additional info:

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1539102
[2] https://github.com/kubernetes-incubator/service-catalog/issues/1701
[3] https://github.com/kubernetes-incubator/service-catalog/pull/1702
Comment 1 Shawn Hurley 2018-02-12 21:37:41 UTC 
PRs posted to fix this are here:
https://github.com/openshift/ansible-service-broker/pull/754
https://github.com/openshift/ansible-service-broker/pull/755
https://github.com/openshift/ansible-service-broker/pull/756
Comment 2 David Zager 2018-02-15 19:13:35 UTC 
This has been built downstream.
Comment 3 David Zager 2018-02-15 19:15:07 UTC 
http://pkgs.devel.redhat.com/cgit/rpms/ansible-service-broker/commit/?h=rhaos-3.9-asb-rhel-7&id=3b5dc08dc4c26348161b1b58205afe614da23d9c
Comment 5 weiwei jiang 2018-02-27 10:14:40 UTC 
Checked with 
# openshift version 
openshift v3.9.0-0.53.0
kubernetes v1.9.1+a0ce1bc657
etcd 3.2.8

And the scope is working for asb.

# curl -k -X PUT -H 'Authorization: bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJvcGVuc2hpZnQtYW5zaWJsZS1zZXJ2aWNlLWJyb2tlciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhc2ItY2xpZW50LXRva2VuLXYyNGZ0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFzYi1jbGllbnQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI3YTg2MzFlMy0xYjkyLTExZTgtYWNjNy00MjAxMGFmMDAwNGQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6b3BlbnNoaWZ0LWFuc2libGUtc2VydmljZS1icm9rZXI6YXNiLWNsaWVudCJ9.jq50oK8ge_THyb_QloLEqOCQRVncnGQaDxim7VjFvVKN5u1XHjTSr9zQd40fAm7gwfPvoopq-CHPCylGE1TEr4Lg69EqwOHA_Qb1HDk-BuS3yFI5rnPI96r35PEay_qe-RGQxfH3gHHJVgyh8JkxrvUnYkyYGnrsKwlVn6irQkACnbNLG9ueRdn1Mind4oBWZ9BVU5AoPeNhRu0xit9dbRiDlumiOoGWD81JOkYRbhDM1ezSKmhF0woS989L_sb0ADQRz20YAWQjRECxF_wYywUkCfWC6_sRGquYmSoPVUTJwtNZ-GCm797i_dVVofEhD0XeO7b9bQJD5cM9IMBtOQ' -H 'Content-type: application/json' -H 'Accept: application/json' -H 'X-Broker-API-Originating-Identity: kubernetes eyJncm91cHMiOlsic3lzdGVtOmF1dGhlbnRpY2F0ZWQ6b2F1dGgiLCJzeXN0ZW06YXV0aGVudGljYXRlZCJdLCJleHRyYSI6eyJzY29wZXMuYXV0aG9yaXphdGlvbi5vcGVuc2hpZnQuaW8iOlsidXNlcjppbmZvIl19LCJ1aWQiOiIxOTYwNjY2Zi0xYmEzLTExZTgtYWNjNy00MjAxMGFmMDAwNGQiLCJ1c2VybmFtZSI6IndqaWFuZyJ9' -d '{  "plan_id": "4707f88a2ff96a4ccc3ec34b575dadb1",  "service_id": "4d0a933f4c238e80527469e77a406093",  "context": {    "platform": "kubernetes",    "namespace": "wjiang"  },  "app_guid":"", "bind_resource":{},  "parameters": {} }' 'https://asb.openshift-ansible-service-broker.svc:1338/ansible-service-broker/v2/service_instances/1d7cf46e-fa7a-48e6-b0cf-111de19bfe75?accepts_incomplete=true'
{
  "description": "User does not have sufficient permissions"
}
Comment 8 errata-xmlrpc 2018-03-28 14:25:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0489