Bug 1569348 - [atomic registry] support to add role to service account as member
Summary: [atomic registry] support to add role to service account as member
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Registry Console
Version: 3.10.0
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: ---
: 3.10.z
Assignee: Martin Pitt
QA Contact: Yanping Zhang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-19 06:26 UTC by Xingxing Xia
Modified: 2018-09-22 04:56 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
undefined
Clone Of:
Environment:
Last Closed: 2018-09-22 04:55:14 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:2660 0 None None None 2018-09-22 04:56:04 UTC

Description Xingxing Xia 2018-04-19 06:26:24 UTC
Description of problem:
On registry console, add role to service account, e.g. system:serviceaccount:xxia-proj:default, it will prompt 'member name contains invalid characters'. It should support service account.

Version-Release number of selected component (if applicable):
cockpit 154

How reproducible:
Always

Steps to Reproduce:
1. On registry console, create project. Click nav menu 'Projects', select the project, click 'Add Member'.

2. In the dialogue, input system:serviceaccount:xxia-proj-2:default and select role Pull, click 'Add'


Actual results:
2. It prompts:
The member name contains invalid characters. Only letters, numbers, spaces and the following symbols are allowed: , = @ . _

Expected results:
2. It should support adding service account

Additional info:

Comment 1 Martin Pitt 2018-04-24 07:43:10 UTC
Upstream PR to fix this: https://github.com/cockpit-project/cockpit/pull/9033

Comment 2 Martin Pitt 2018-04-25 08:59:57 UTC
Setting a tentative target release. Xingxing or anyone else, please adjust as you see fit.

Comment 4 Xingxing Xia 2018-05-16 08:21:48 UTC
Checked the latest registry console in OCP 3.10 env, issue still exists.
The env uses below image as registry console:
registry.reg...com:443/openshift3/registry-console              v3.10               eaca67e14beb        11 hours ago        243 MB

# oc rsh registry-console-1-phbmc rpm -qa | grep "cockpit"
cockpit-ws-155-1.el7.x86_64
cockpit-dashboard-165-3.el7.x86_64
cockpit-system-155-1.el7.noarch
cockpit-bridge-155-1.el7.x86_64
cockpit-kubernetes-155-1.el7.x86_64

Martin, looks like the fix does not yet land in latest registry-console image, which version will it land in?

Comment 5 Martin Pitt 2018-05-23 07:13:46 UTC
@Xingxing: The fix is in upstream release 167.

Comment 6 Yanping Zhang 2018-07-04 08:47:27 UTC
Checked on OCP v3.10.12, the bug still exists.

Here are the related info about registry console:
# docker images|grep registry-console
registry.reg-aws.openshift.com:443/openshift3/registry-console              v3.10               21a0d79b97e6        9 hours ago         255 MB

# oc rsh registry-console-1-v9c5f rpm -qa|grep cockpit
cockpit-bridge-155-1.el7.x86_64
cockpit-kubernetes-155-1.el7.x86_64
cockpit-ws-155-1.el7.x86_64
cockpit-dashboard-169-1.el7.x86_64
cockpit-system-155-1.el7.noarch

# rpm -qa|grep cockpit
cockpit-system-169-1.el7.noarch
cockpit-docker-169-1.el7.x86_64
cockpit-bridge-169-1.el7.x86_64
cockpit-ostree-169-1.el7.x86_64

@Martin, the packages versions vary from 155 to 169, which cockpit package exactly has relation to the bug? If non of above packages contains the fix, could you pls ask someone to prepare an ocp build containing the cockpit fix.

Comment 7 Martin Pitt 2018-07-04 09:45:15 UTC
@Yanping: The fix is in cockpit-kubernetes. You need version 167 or later, you have 155.

Comment 9 Yanping Zhang 2018-07-19 06:33:41 UTC
Checked on OCP v3.10.18, the bug still exists, and cockpit packages are still old versions.
# oc rsh registry-console-1-45qmh rpm -qa|grep cockpit
cockpit-ws-154-3.el7.x86_64
cockpit-dashboard-169-1.el7.x86_64
cockpit-system-154-3.el7.noarch
cockpit-bridge-154-3.el7.x86_64
cockpit-kubernetes-155-1.el7.x86_64

Samuel,
Could we remove this bug from advisory 33464? since no build contains the fix.

Comment 12 Yadan Pei 2018-07-24 02:54:16 UTC
The 3.10.14 going to ship in 33464 don't include cockpit-kubernetes >=167, we can't verify it now and need drop this bug from the advisory

Comment 17 Yadan Pei 2018-09-10 03:09:33 UTC
1. Create project "yapei-test"
2. Projects -> Add Member -> Add Pull role to serviceaccount system:serviceaccount:yapei-test:default
3. Check if rolebinding is added
# oc get rolebinding -n yapei-test
NAME                    ROLE                    USERS                                    GROUPS                            SERVICE ACCOUNTS   SUBJECTS
admin                   /admin                  yapei                                                                                         
registry-admin          /registry-admin         yapei                                                                                         
registry-viewer         /registry-viewer        system:serviceaccount:yapei-test:default                                                        


role was added to serviceaccount successfully

Verified on openshift v3.11.0-0.32.0 and cockpit 176

# oc rsh -n default registry-console-1-v5pqm
sh-4.2$ rpm -qa | grep cockpit
cockpit-bridge-176-2.el7.x86_64
cockpit-kubernetes-176-2.el7.x86_64
cockpit-ws-176-2.el7.x86_64
cockpit-dashboard-176-2.el7.x86_64
cockpit-system-176-2.el7.noarch

Comment 19 errata-xmlrpc 2018-09-22 04:55:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2660


Note You need to log in before you can comment on or make changes to this bug.