Created attachment 1426979 [details] normal user home page 403 error Description of problem: Normal user meets "Failed to list .../servicecatalog.k8s.io/v1beta1 (status 403)" in home page Grant cluster-admin to the user, the error is not met again. Version-Release number of selected component (if applicable): OpenShift Master: v3.10.0-0.29.0 Kubernetes Master: v1.10.0+b81c8f8 OpenShift Web Console: v3.10.0-0.29.0 How reproducible: Always Steps to Reproduce: 1. Normal user logins to web console 2. Grant cluster-admin to the user, repeat above step Actual results: 1. Meet: An error occurred connecting to the server. Failed to list clusterserviceplans/servicecatalog.k8s.io/v1beta1 (status 403) Failed to list clusterserviceclasses/servicecatalog.k8s.io/v1beta1 (status 403) 2. Error gone Expected results: 1. Should not have the error. Additional info: Given master version v3.10.0-0.29.0, change web console image tag to v3.10.0-0.28.0, error still happens. But env of below version matrix doesn't meet the error: OpenShift Master: v3.10.0-0.28.0 OpenShift Web Console: v3.10.0-0.28.0
In the backend , run command as normal user , got the following error. [zitang@dhcp-140-42 ~]$ oc get clusterserviceclass Error from server (Forbidden): clusterserviceclasses.servicecatalog.k8s.io is forbidden: User "zitang2" cannot list clusterserviceclasses.servicecatalog.k8s.io at the cluster scope: User "zitang2" cannot list all clusterserviceclasses.servicecatalog.k8s.io in the cluster
FYI # oc get clusterrolebindings servicecatalog-serviceclass-viewer-binding -o yaml apiVersion: authorization.openshift.io/v1 groupNames: null kind: ClusterRoleBinding metadata: creationTimestamp: 2018-04-26T02:39:10Z name: servicecatalog-serviceclass-viewer-binding resourceVersion: "9803" selfLink: /apis/authorization.openshift.io/v1/clusterrolebindings/servicecatalog-serviceclass-viewer-binding uid: ffa01749-48fa-11e8-8ab2-0eddbd40f1c2 roleRef: name: servicecatalog-serviceclass-viewer subjects: - kind: SystemGroup name: system:authenticated userNames: null Workaround as following: oc patch clusterrolebindings servicecatalog-serviceclass-viewer-binding -p '{"groupNames": ["system:authenticated"]}' or oc patch clusterrolebindings servicecatalog-serviceclass-viewer-binding -p '{"groupNames": ["system:authenticated:oauth"]}'
I have a PR to fix this when the cluster is created with oc cluster up: https://github.com/openshift/origin/pull/19460 Was this found on a cluster created with oc cluster up or with the installer?
It was found on env created with ansible installer
Your PR not merged yet. Tried oc cluster up env (via oc v3.10.0-0.30.0), also reproduces the bug
My PR has merged now so this should be fixed for oc cluster up; I've created 1573222 as a duplicate of this bug to handle ensuring this is fixed for openshift-ansible.
Changing QA contact to xingxing Xia since he is reporter.
Verified in oc v3.10.0-0.47.0. Normal user can run `oc get clusterserviceclass`. And cluster-admin `oc get clusterrolebindings servicecatalog-serviceclass-viewer-binding -o yaml` shows correct: ... subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1816