1564269 – add list istags at cluster scope to dedicated-admin role in openshift dedicated.

Bug 1564269 - add list istags at cluster scope to dedicated-admin role in openshift dedicated.

Summary: add list istags at cluster scope to dedicated-admin role in openshift dedicated.

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	OpenShift Online
Classification:	Red Hat
Component:	RFE
Sub Component:
Version:	3.x
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Abhishek Gupta
QA Contact:	yasun
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-04-05 20:58 UTC by Brian Cook
Modified:	2018-05-29 14:12 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-05-29 14:12:51 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Brian Cook 2018-04-05 20:58:58 UTC

Description of problem:

We need permission to list / watch imagestream tags at cluster scope for dedicated-admin role in order to trigger certification scans.


Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. try to list istags for cluster
2. 
3.

Actual results:
get told that user cannot list istags for entire cluster.

Expected results:
successfully list istags for entire cluster.

Additional info:

Comment 1 Patrick Easters 2018-04-16 16:53:18 UTC

Per request of Will, I'm also noting here that we'd like the ability to view these resources at a cluster level as well:
builds
buildconfigs

We've sufficiently worked around the need for is/istags, but cluster-wide GET access for builds would be great.

Comment 4 Bing Li 2018-04-19 09:53:45 UTC

Verified this bug on OCP 3.9: 

user will be able to check the images/imagestreamtags/builds/buildconfigs at cluster scope after granted the "dedicated-cluster-admin" clusterrole:

Before granted "dedicated-cluster-admin":

$ oc get imagestreamtags --all-namespaces 
Error from server (Forbidden): imagestreamtags.image.openshift.io is forbidden: User "bingli" cannot list imagestreamtags.image.openshift.io at the cluster scope: User "bingli" cannot list all imagestreamtags.image.openshift.io in the cluster

$ oc get image --all-namespaces 
Error from server (Forbidden): images.image.openshift.io is forbidden: User "bingli" cannot list images.image.openshift.io at the cluster scope: User "bingli" cannot list all images.image.openshift.io in the cluster

$ oc get build --all-namespaces 
Error from server (Forbidden): builds.build.openshift.io is forbidden: User "bingli" cannot list builds.build.openshift.io at the cluster scope: User "bingli" cannot list all builds.build.openshift.io in the cluster

$ oc get bc --all-namespaces 
Error from server (Forbidden): buildconfigs.build.openshift.io is forbidden: User "bingli" cannot list buildconfigs.build.openshift.io at the cluster scope: User "bingli" cannot list all buildconfigs.build.openshift.io in the cluster


After granted "dedicated-cluster-admin":

# oc adm policy add-cluster-role-to-user dedicated-cluster-admin bingli
cluster role "dedicated-cluster-admin" added: "bingli"

$ oc get imagestreamtags --all-namespaces | wc -l
138
$ oc get image --all-namespaces | wc -l
122
$ oc get build --all-namespaces | wc -l
2
$ oc get bc --all-namespaces | wc -l
2

Comment 5 Will Gordon 2018-04-19 13:13:04 UTC

Hello Bing Li,

Would you please verify this against a 3.7 cluster as well?

Thank you!

Comment 6 Bing Li 2018-04-20 03:20:31 UTC

Verified on OCP 3.7:

User can be able to get images/imagestreamtags/builds/buildconfigs at cluster scope after granted the "dedicated-cluster-admin" clusterrole:

$ oc get imagestreamtags --all-namespaces | wc -l
130
$ oc get image --all-namespaces | wc -l
$ oc get build --all-namespaces | wc -l
5
$ oc get bc --all-namespaces | wc -l
5

Note You need to log in before you can comment on or make changes to this bug.