Description of problem: Followup from [1]. Due to a bug in how the service catalog encodes the extra information with the X-Broker-API-Originating-Identity header [2], it is currently possible for OpenShift to pass scoped information to the service catalog which is then lost when the ASB parses it. While the bug in SC has been fixed [3], it is possible that the ASB will be running against a buggy version of the SC for some time. Thus, the ASB should check for scopes in both in the outer JSON object as well as the Extra object. Version-Release number of selected component (if applicable): ? How reproducible: Always Steps to Reproduce: 1. Use a buggy version of SC with the ASB 2. Send a scoped request to the SC / ASB (any scope that limits the action such as user:info) Actual results: The scope is ignored and the request is authorized. Expected results: The scope is not ignored and the request is not authorized. Additional info: [1] https://bugzilla.redhat.com/show_bug.cgi?id=1539102 [2] https://github.com/kubernetes-incubator/service-catalog/issues/1701 [3] https://github.com/kubernetes-incubator/service-catalog/pull/1702
PRs posted to fix this are here: https://github.com/openshift/ansible-service-broker/pull/754 https://github.com/openshift/ansible-service-broker/pull/755 https://github.com/openshift/ansible-service-broker/pull/756
This has been built downstream.
http://pkgs.devel.redhat.com/cgit/rpms/ansible-service-broker/commit/?h=rhaos-3.9-asb-rhel-7&id=3b5dc08dc4c26348161b1b58205afe614da23d9c
Checked with # openshift version openshift v3.9.0-0.53.0 kubernetes v1.9.1+a0ce1bc657 etcd 3.2.8 And the scope is working for asb. # curl -k -X PUT -H 'Authorization: bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJvcGVuc2hpZnQtYW5zaWJsZS1zZXJ2aWNlLWJyb2tlciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhc2ItY2xpZW50LXRva2VuLXYyNGZ0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFzYi1jbGllbnQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI3YTg2MzFlMy0xYjkyLTExZTgtYWNjNy00MjAxMGFmMDAwNGQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6b3BlbnNoaWZ0LWFuc2libGUtc2VydmljZS1icm9rZXI6YXNiLWNsaWVudCJ9.jq50oK8ge_THyb_QloLEqOCQRVncnGQaDxim7VjFvVKN5u1XHjTSr9zQd40fAm7gwfPvoopq-CHPCylGE1TEr4Lg69EqwOHA_Qb1HDk-BuS3yFI5rnPI96r35PEay_qe-RGQxfH3gHHJVgyh8JkxrvUnYkyYGnrsKwlVn6irQkACnbNLG9ueRdn1Mind4oBWZ9BVU5AoPeNhRu0xit9dbRiDlumiOoGWD81JOkYRbhDM1ezSKmhF0woS989L_sb0ADQRz20YAWQjRECxF_wYywUkCfWC6_sRGquYmSoPVUTJwtNZ-GCm797i_dVVofEhD0XeO7b9bQJD5cM9IMBtOQ' -H 'Content-type: application/json' -H 'Accept: application/json' -H 'X-Broker-API-Originating-Identity: kubernetes eyJncm91cHMiOlsic3lzdGVtOmF1dGhlbnRpY2F0ZWQ6b2F1dGgiLCJzeXN0ZW06YXV0aGVudGljYXRlZCJdLCJleHRyYSI6eyJzY29wZXMuYXV0aG9yaXphdGlvbi5vcGVuc2hpZnQuaW8iOlsidXNlcjppbmZvIl19LCJ1aWQiOiIxOTYwNjY2Zi0xYmEzLTExZTgtYWNjNy00MjAxMGFmMDAwNGQiLCJ1c2VybmFtZSI6IndqaWFuZyJ9' -d '{ "plan_id": "4707f88a2ff96a4ccc3ec34b575dadb1", "service_id": "4d0a933f4c238e80527469e77a406093", "context": { "platform": "kubernetes", "namespace": "wjiang" }, "app_guid":"", "bind_resource":{}, "parameters": {} }' 'https://asb.openshift-ansible-service-broker.svc:1338/ansible-service-broker/v2/service_instances/1d7cf46e-fa7a-48e6-b0cf-111de19bfe75?accepts_incomplete=true' { "description": "User does not have sufficient permissions" }
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0489