Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1623416

Summary: Users who own the namespace don't have access to the servicebroker
Product: OpenShift Container Platform Reporter: Zihan Tang <zitang>
Component: Service CatalogAssignee: Marko Luksa <mluksa>
Status: CLOSED ERRATA QA Contact: Zihan Tang <zitang>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.11.0CC: chezhang, jaboyd, jfan, jiazha
Target Milestone: ---   
Target Release: 3.11.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-11 07:25:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Zihan Tang 2018-08-29 10:09:36 UTC 
Description of problem:
After provision namespaced broker in a normal user project, this user not have access to servicebroker, serviceclass, serviceplan, bundles,bundlebindings, bundleinstance

Version-Release number of selected component (if applicable):
asb 1.3.14
openshift v3.11.0-0.24.0
service-catalog: v3.11.0-0.24.0;Upstream:v0.1.29

How reproducible:
always

Steps to Reproduce:
1. using normal user (test1) to create a project test-ns-broker
$ oc new-project test-ns-broker

2. switch cluster-admin user, install servicebroker in project test-ns-broker
# cat install.yaml 
apiVersion: v1
kind: Namespace
metadata:
  name: automation-broker-apb

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: automation-broker-apb
  namespace: automation-broker-apb

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: automation-broker-apb
roleRef:
  name: cluster-admin
  kind: ClusterRole
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: automation-broker-apb
  namespace: automation-broker-apb
---
apiVersion: v1
kind: Pod
metadata:
  name: automation-broker-apb
  namespace: automation-broker-apb
spec:
  serviceAccount: automation-broker-apb
  containers:
    - name: apb
      image: $brew/automation-broker-apb:v3.11.0
      args: [ "provision", "--extra-vars", '{"broker_kind": "ServiceBroker", "broker_namespace": "test-ns-broker", "create_broker_namespace": "false" }' ]
      imagePullPolicy: IfNotPresent
  restartPolicy: Never

3. change the broker cm to use a valid registry and restart automation-broker pod, 
4. check servicebroker, serviceclass .etc resource by user test1 

Actual results:
user test1 don't have access to these resource
$ oc get servicebroker
Error from server (Forbidden): servicebrokers.servicecatalog.k8s.io is forbidden: User "test1" cannot list servicebrokers.servicecatalog.k8s.io in the namespace "test-ns-broker": no RBAC policy matched

$ oc get serviceclass
Error from server (Forbidden): serviceclasses.servicecatalog.k8s.io is forbidden: User "test1" cannot list serviceclasses.servicecatalog.k8s.io in the namespace "test-ns-broker": no RBAC policy matched
$ oc get bundles
Error from server (Forbidden): bundles.automationbroker.io is forbidden: User "test1" cannot list bundles.automationbroker.io in the namespace "test-ns-broker": no RBAC policy matched
[zitang@localhost cucushift]$ oc get serviceinstance


Expected results:
user test1 should have access to resource:
servicebroker, serviceclass, serviceplan, bundles,bundlebindings, bundleinstance

Additional info:
cluster admin user have access to above resource:
[root@qe-zitang-r4-master-etcd-1 ~]# oc get serviceclass
NAME                               CREATED AT
0300d1ae1841c23a9df0a179ad0605fd   2018-08-29T09:47:17Z
0e5dbb6592fec99057f94fbb095ec558   2018-08-29T09:47:17Z
48749329dd289591e11ba737f15fc71b   2018-08-29T09:47:17Z
bd8dff760b959264f3ab38d42ba5e7a8   2018-08-29T09:47:17Z

[root@qe-zitang-r4-master-etcd-1 ~]# oc get servicebroker
NAME                CREATED AT
automation-broker   2018-08-29T09:47:17Z

[root@qe-zitang-r4-master-etcd-1 ~]# oc get serviceplan
NAME                               CREATED AT
13c71553b0a928973ee3b952925bd8d1   2018-08-29T09:47:18Z
769cd9fc474907ec246c31e57af854c6   2018-08-29T09:47:17Z
974e712954c94d227587145ed0ad6def   2018-08-29T09:47:17Z
9c61ad7a5941bb66e3e825b318f503de   2018-08-29T09:47:17Z
ec2ec47fc1b441f6c6a190cb101365dd   2018-08-29T09:47:17Z
ef2f54762d191068e4a0db2b233576ae   2018-08-29T09:47:17Z
f176715576e70574cda5835172b06403   2018-08-29T09:47:17Z
Comment 1 Jay Boyd 2018-08-29 15:04:29 UTC 
Note that bundles,bundlebindings, bundleinstance RBAC is not handled by Service Catalog.  Please open a BZ issue against Ansible Service Broker if there is a problem with those resources.
Comment 2 Jay Boyd 2018-08-29 15:46:20 UTC 
I discussed with Paul and wanted to summarize how I understand privileges should work on the namespace scoped broker resources:

1)  a NS Owner (Admin) should be able to create/update/delete Brokers/Classes/Plans
2)  non NS Owners within the ns can just get/list/watch Brokers/Classes/Plans
3)  everyone within the NS should have full privs on Instances & Bindings
Comment 3 Zihan Tang 2018-09-04 02:37:27 UTC 
Jay, 	Marko

Since this blocks testing for namespaced broker, so add TestBlocker tag, please fix it in priority.

Besides, can you provide workaround to privilege required access to normal user for a namespaced broker? Thanks.

cc @jiazha
Comment 4 Marko Luksa 2018-09-04 17:14:11 UTC 
PR: https://github.com/openshift/origin/pull/20852

Until the PR is merged, the workaround is to do the following:

1. oc login -u system:admin
2. oc edit clusterrole system:openshift:service-catalog:aggregate-to-admin
3. in the text editor, add "servicebrokers", "serviceclasses", "serviceplans" to the rule that has apiGroups: - servicecatalog.k8s.io
Comment 5 Marko Luksa 2018-09-04 17:25:19 UTC 
PR #2: https://github.com/openshift/openshift-ansible/pull/9907
Comment 6 Zihan Tang 2018-09-05 03:35:10 UTC 
The workaround is ok for us. Remove the TestBloker keyword, thanks!
Comment 7 Marko Luksa 2018-09-05 05:21:29 UTC 
Both PRs have been merged.
Comment 9 Zihan Tang 2018-09-06 06:55:41 UTC 
Verified.
openshift-ansible-3.11.0-0.25.0
openshift v3.11.0-0.28.0

servicebroker, serviceclass, serviceplan privilege are added to 
service-catalog:aggregate-to-admin
service-catalog:aggregate-to-edit
service-catalog:aggregate-to-view
Comment 11 errata-xmlrpc 2018-10-11 07:25:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2652