Bug 1578319 - _apb_last_requesting_user should be in "--extra-vars" while unbinding
Summary: _apb_last_requesting_user should be in "--extra-vars" while unbinding
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Service Broker
Version: 3.10.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 3.10.0
Assignee: Jesus M. Rodriguez
QA Contact: Zhang Cheng
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-15 09:19 UTC by Zhang Cheng
Modified: 2018-07-30 19:15 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Feature: Automation Broker will now send the last requesting user to the Ansible Playbook Bundles (APB). Reason: Some APBs perform access checks based on the request user. Result: APBs can now see the user that requested the action. They are free to use it for additional authorization checks or simply ignore it if they do not need it.
Clone Of:
Environment:
Last Closed: 2018-07-30 19:15:30 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:1816 0 None None None 2018-07-30 19:15:54 UTC

Description Zhang Cheng 2018-05-15 09:19:54 UTC
Description of problem: 
No _apb_last_requesting_user in "--extra-vars" while unbinding, and have _apb_last_requesting_user while provision/binding/update/deprovision.


service-catalog & asb image using images from brew registry:
service catalog v3.10.0-0.41.0;Upstream:v0.1.18
asb: 1.2.11


How reproducible:
Always


Steps to Reproduce:
1. Deploy service-catalog & ansible-service-broker in OCP cluster.
2. Set "keep_namespace: true" and "launch_apb_on_bind: true" in broker config.
   openshift:
      keep_namespace: true
    broker:
      launch_apb_on_bind: true
3. Provision MongoDB APB from web console
4. Create a servicebinding from web console  ( it should be failed in here since there is a known bug 1533425 )
5. Delete the servicebinding from web console
6. Check logs of pod in transiant_namespace


Actual results:  
6. No _apb_last_requesting_user in "--extra-vars" while unbinding
# oc logs apb-60e8642d-2503-4268-baae-f61e0da65b71
+ [[ unbind --extra-vars {"_apb_provision_creds":{"DB_HOST":"mongodb","DB_NAME":"sampledb","DB_PASSWORD":"password","DB_PORT":27017,"DB_TYPE":"mongodb","DB_USER":"username"},"cluster":"openshift","namespace":"test1","provision_params":{"MONGODB_ADMIN_PASSWORD":"admin","MONGODB_DATABASE":"sampledb","MONGODB_DATA_STORAGE_SIZE":1,"MONGODB_IMAGE_TAG":"latest","MONGODB_MEMORY_LIMIT":"512Mi","MONGODB_PASSWORD":"password","MONGODB_USER":"username","MONGODB_VERSION":"3.4","USE_UPSTREAM_IMAGES":false,"_apb_last_requesting_user":"chezhang","_apb_plan_id":"ephemeral","_apb_service_class_id":"e9c042c4925dd0c7c25ceca4f5179e1c","_apb_service_instance_id":"e941924b-5817-11e8-91f9-0a580a800003"}} == *\s\2\i\/\a\s\s\e\m\b\l\e* ]]
+ ACTION=unbind


Expected results: 
6. Should have _apb_last_requesting_user in "--extra-vars" while unbinding


Addition info: 
Provision/binding/deprovision looks good to me:
+ [[ provision --extra-vars {"MONGODB_ADMIN_PASSWORD":"admin","MONGODB_DATABASE":"sampledb","MONGODB_DATA_STORAGE_SIZE":1,"MONGODB_IMAGE_TAG":"latest","MONGODB_MEMORY_LIMIT":"512Mi","MONGODB_PASSWORD":"password","MONGODB_USER":"username","MONGODB_VERSION":"3.4","USE_UPSTREAM_IMAGES":false,"_apb_last_requesting_user":"chezhang","_apb_plan_id":"ephemeral","_apb_service_class_id":"e9c042c4925dd0c7c25ceca4f5179e1c","_apb_service_instance_id":"2bd1352a-581a-11e8-91f9-0a580a800003","cluster":"openshift","namespace":"test2"} == *\s\2\i\/\a\s\s\e\m\b\l\e* ]]

+ [[ bind --extra-vars {"_apb_last_requesting_user":"chezhang","_apb_plan_id":"ephemeral","_apb_provision_creds":{"DB_HOST":"mongodb","DB_NAME":"sampledb","DB_PASSWORD":"password","DB_PORT":27017,"DB_TYPE":"mongodb","DB_USER":"username"},"_apb_service_binding_id":"3e373bbb-5818-11e8-91f9-0a580a800003","_apb_service_class_id":"e9c042c4925dd0c7c25ceca4f5179e1c","_apb_service_instance_id":"e941924b-5817-11e8-91f9-0a580a800003","cluster":"openshift","namespace":"test1"} == *\s\2\i\/\a\s\s\e\m\b\l\e* ]]

+ [[ deprovision --extra-vars {"MONGODB_ADMIN_PASSWORD":"admin","MONGODB_DATABASE":"sampledb","MONGODB_DATA_STORAGE_SIZE":1,"MONGODB_IMAGE_TAG":"latest","MONGODB_MEMORY_LIMIT":"512Mi","MONGODB_PASSWORD":"password","MONGODB_USER":"username","MONGODB_VERSION":"3.4","USE_UPSTREAM_IMAGES":false,"_apb_last_requesting_user":"chezhang","_apb_plan_id":"ephemeral","_apb_provision_creds":{"DB_HOST":"mongodb","DB_NAME":"sampledb","DB_PASSWORD":"password","DB_PORT":27017,"DB_TYPE":"mongodb","DB_USER":"username"},"_apb_service_class_id":"e9c042c4925dd0c7c25ceca4f5179e1c","_apb_service_instance_id":"2bd1352a-581a-11e8-91f9-0a580a800003","cluster":"openshift","namespace":"test2"} == *\s\2\i\/\a\s\s\e\m\b\l\e* ]]

Comment 1 Michael Hrivnak 2018-05-15 20:12:07 UTC
Changing the formatting, here is a comparison of unbind vs. deprovision:


### Unbind
{
    "_apb_provision_creds": {
        "DB_HOST": "mongodb",
        "DB_NAME": "sampledb",
        "DB_PASSWORD": "password",
        "DB_PORT": 27017,
        "DB_TYPE": "mongodb",
        "DB_USER": "username"
    },
    "cluster": "openshift",
    "namespace": "test1",
    "provision_params": {
        "MONGODB_ADMIN_PASSWORD": "admin",
        "MONGODB_DATABASE": "sampledb",
        "MONGODB_DATA_STORAGE_SIZE": 1,
        "MONGODB_IMAGE_TAG": "latest",
        "MONGODB_MEMORY_LIMIT": "512Mi",
        "MONGODB_PASSWORD": "password",
        "MONGODB_USER": "username",
        "MONGODB_VERSION": "3.4",
        "USE_UPSTREAM_IMAGES": false,
        "_apb_last_requesting_user": "chezhang",
        "_apb_plan_id": "ephemeral",
        "_apb_service_class_id": "e9c042c4925dd0c7c25ceca4f5179e1c",
        "_apb_service_instance_id": "e941924b-5817-11e8-91f9-0a580a800003"
    }
}

### Deprovision
{
    "MONGODB_ADMIN_PASSWORD": "admin",
    "MONGODB_DATABASE": "sampledb",
    "MONGODB_DATA_STORAGE_SIZE": 1,
    "MONGODB_IMAGE_TAG": "latest",
    "MONGODB_MEMORY_LIMIT": "512Mi",
    "MONGODB_PASSWORD": "password",
    "MONGODB_USER": "username",
    "MONGODB_VERSION": "3.4",
    "USE_UPSTREAM_IMAGES": false,
    "_apb_last_requesting_user": "chezhang",
    "_apb_plan_id": "ephemeral",
    "_apb_provision_creds": {
        "DB_HOST": "mongodb",
        "DB_NAME": "sampledb",
        "DB_PASSWORD": "password",
        "DB_PORT": 27017,
        "DB_TYPE": "mongodb",
        "DB_USER": "username"
    },
    "_apb_service_class_id": "e9c042c4925dd0c7c25ceca4f5179e1c",
    "_apb_service_instance_id": "2bd1352a-581a-11e8-91f9-0a580a800003",
    "cluster": "openshift",
    "namespace": "test2"
}

Comment 2 Jesus M. Rodriguez 2018-05-17 21:24:25 UTC
### Provision
{
  "MONGODB_ADMIN_PASSWORD": "admin",
  "MONGODB_DATABASE": "sampledb",
  "MONGODB_DATA_STORAGE_SIZE": 1,
  "MONGODB_IMAGE_TAG": "latest",
  "MONGODB_MEMORY_LIMIT": "512Mi",
  "MONGODB_PASSWORD": "password",
  "MONGODB_USER": "username",
  "MONGODB_VERSION": "3.4",
  "USE_UPSTREAM_IMAGES": false,
  "_apb_last_requesting_user": "admin",
  "_apb_plan_id": "ephemeral",
  "_apb_service_class_id": "e9c042c4925dd0c7c25ceca4f5179e1c",
  "_apb_service_instance_id": "e89d18e3-5a12-11e8-8874-0242ac11000a",
  "cluster": "openshift",
  "namespace": "blog-project"
}


### Bind
{
  "_apb_last_requesting_user": "admin",
  "_apb_plan_id": "ephemeral",
  "_apb_provision_creds": {
    "DB_HOST": "mongodb",
    "DB_NAME": "sampledb",
    "DB_PASSWORD": "password",
    "DB_PORT": 27017,
    "DB_TYPE": "mongodb",
    "DB_USER": "username"
  },
  "_apb_service_binding_id": "0559d887-5a14-11e8-8874-0242ac11000a",
  "_apb_service_class_id": "e9c042c4925dd0c7c25ceca4f5179e1c",
  "_apb_service_instance_id": "e89d18e3-5a12-11e8-8874-0242ac11000a",
  "cluster": "openshift",
  "namespace": "blog-project"
}

Including the unbind output from my current run to match the above information:

### Unbind
{
  "_apb_provision_creds": {
    "DB_HOST": "mongodb",
    "DB_NAME": "sampledb",
    "DB_PASSWORD": "password",
    "DB_PORT": 27017,
    "DB_TYPE": "mongodb",
    "DB_USER": "username"
  },
  "cluster": "openshift",
  "namespace": "blog-project",
  "provision_params": {
    "MONGODB_ADMIN_PASSWORD": "admin",
    "MONGODB_DATABASE": "sampledb",
    "MONGODB_DATA_STORAGE_SIZE": 1,
    "MONGODB_IMAGE_TAG": "latest",
    "MONGODB_MEMORY_LIMIT": "512Mi",
    "MONGODB_PASSWORD": "password",
    "MONGODB_USER": "username",
    "MONGODB_VERSION": "3.4",
    "USE_UPSTREAM_IMAGES": false,
    "_apb_last_requesting_user": "admin",
    "_apb_plan_id": "ephemeral",
    "_apb_service_class_id": "e9c042c4925dd0c7c25ceca4f5179e1c",
    "_apb_service_instance_id": "e89d18e3-5a12-11e8-8874-0242ac11000a"
  }
}

Comment 3 Jesus M. Rodriguez 2018-05-18 02:10:10 UTC
Fixed in PR 959
https://github.com/openshift/ansible-service-broker/pull/959

{
  "_apb_last_requesting_user": "admin",
  "_apb_plan_id": "85f2cc9b1c440e49dce41f2939dca1d2",
  "_apb_provision_creds": {
    "DB_HOST": "mongodb",
    "DB_NAME": "sampledb",
    "DB_PASSWORD": "password",
    "DB_PORT": 27017,
    "DB_TYPE": "mongodb",
    "DB_USER": "username"
  },
  "_apb_service_binding_id": "9b4aa09c-5a3f-11e8-9f5c-0242ac11000a",
  "_apb_service_instance_id": "b8107972-5a3e-11e8-9f5c-0242ac11000a",
  "cluster": "openshift",
  "namespace": "blog-project",
  "provision_params": {
    "MONGODB_ADMIN_PASSWORD": "admin",
    "MONGODB_DATABASE": "sampledb",
    "MONGODB_DATA_STORAGE_SIZE": 1,
    "MONGODB_IMAGE_TAG": "latest",
    "MONGODB_MEMORY_LIMIT": "512Mi",
    "MONGODB_PASSWORD": "password",
    "MONGODB_USER": "username",
    "MONGODB_VERSION": "3.4",
    "USE_UPSTREAM_IMAGES": false,
    "_apb_last_requesting_user": "admin",
    "_apb_plan_id": "ephemeral",
    "_apb_service_class_id": "e9c042c4925dd0c7c25ceca4f5179e1c",
    "_apb_service_instance_id": "b8107972-5a3e-11e8-9f5c-0242ac11000a"
  }
}

Comment 4 Jesus M. Rodriguez 2018-05-18 02:13:46 UTC
Also fixed in master by PR 960
https://github.com/openshift/ansible-service-broker/pull/960

Comment 5 Zhang Cheng 2018-05-22 09:23:47 UTC
Changing status to Modified since downstream image not ready. The latest is asb 1.2.12 in currently.

Comment 7 David Zager 2018-05-24 17:32:35 UTC
https://errata.devel.redhat.com/advisory/33505 moved to QE

openshift-enterprise-asb-container-v3.10.0-0.51.0.1
openshift-enterprise-mediawiki-apb-v3.10.0-0.51.0.1
openshift-enterprise-postgresql-apb-v3.10.0-0.51.0.1
openshift-enterprise-mysql-apb-v3.10.0-0.51.0.1
openshift-enterprise-mariadb-apb-v3.10.0-0.51.0.1
openshift-enterprise-apb-tools-v3.10.0-0.32.0.2

Comment 8 Zhang Cheng 2018-05-29 09:45:51 UTC
Verified and passed with asb:1.2.14

{"_apb_last_requesting_user":"chezhang","_apb_plan_id":"85f2cc9b1c440e49dce41f2939dca1d2","_apb_provision_creds":{"DB_HOST":"mongodb","DB_NAME":"sampledb","DB_PASSWORD":"password","DB_PORT":27017,"DB_TYPE":"mongodb","DB_USER":"username"},"_apb_service_binding_id":"3f168d2f-6321-11e8-a7d4-0a580a80000c","_apb_service_instance_id":"eeb54a0c-6320-11e8-a7d4-0a580a80000c","cluster":"openshift","namespace":"mongo","provision_params":{"MONGODB_ADMIN_PASSWORD":"admin","MONGODB_DATABASE":"sampledb","MONGODB_DATA_STORAGE_SIZE":1,"MONGODB_IMAGE_TAG":"latest","MONGODB_MEMORY_LIMIT":"512Mi","MONGODB_PASSWORD":"password","MONGODB_USER":"username","MONGODB_VERSION":"3.4","USE_UPSTREAM_IMAGES":false,"_apb_last_requesting_user":"chezhang","_apb_plan_id":"ephemeral","_apb_service_class_id":"e9c042c4925dd0c7c25ceca4f5179e1c","_apb_service_instance_id":"eeb54a0c-6320-11e8-a7d4-0a580a80000c"}}

Comment 10 errata-xmlrpc 2018-07-30 19:15:30 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1816


Note You need to log in before you can comment on or make changes to this bug.