Bug 1661151 - Normal user can not list clusterserviceclass/clusterserviceplan
Summary: Normal user can not list clusterserviceclass/clusterserviceplan
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Service Catalog
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: ---
: 4.1.0
Assignee: Dan Geoffroy
QA Contact: Jian Zhang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-20 08:05 UTC by Zihan Tang
Modified: 2019-06-04 10:41 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-04 10:41:27 UTC
Target Upstream Version:


Attachments (Terms of Use)
rbac yaml that adds missing roles and bindings allowing non-system users to work with Service Catalog objects (2.17 KB, text/plain)
2019-01-18 14:54 UTC, Jay Boyd
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0758 None None None 2019-06-04 10:41:32 UTC

Description Zihan Tang 2018-12-20 08:05:03 UTC
Description of problem:
In next-gen installer env, a normal user can not list clusterserviceclass and clusterserviceplan resource from automation-broker

Version-Release number of selected component (if applicable):
openshift-install v0.7.0
service-catalog: v4.0.0-v0.1.38+7a95e74-2-dirty;Upstream:v0.1.3
OLM: 0.8.0
asb-operator: docker.io/automationbroker/automation-broker-operator@sha256:5081a4c0d63b14235073389160e5536f86435d844dc64e598667352f0a378440
asb: 1.3.20

How reproducible:
always

Steps to Reproduce:
1. install okd 4.0 by next-gen installer
2. install service-catalog from OLM
3. install automation-broker from OLM
4. check clusterserviceclass and clusterserviceplan resource as system:admin

# oc get clusterserviceclass
NAME                                   EXTERNAL-NAME              BROKER                    AGE
08ccf37be271fba38b1a70f87302297f       dh-rhpam-apb               automation-broker         53m
09628db4757fd1a2db85d465106b9f82       dh-gluster-s3-apb          automation-broker         53m
0e991006d21029e47abe71acc255e807       dh-pyzip-demo-apb          automation-broker         53m

5. workaround for allowall idp 4.0 oauthconfig 
# oc patch kubeapiserveroperatorconfig instance -p '{"spec":{"unsupportedConfigOverrides": {"oauthConfig": {"identityProviders": [{"challenge": true,"login": true,"name": "anypassword","provider": {"apiVersion": "v1","kind": "AllowAllPasswordIdentityProvider"}}],"masterCA": "/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt","masterPublicURL": "${url-see note}","masterURL": "${url-see note}"}}}}' --type merge  
note: url == $(oc --config="$KUBECONFIG" status | grep -o 'https.*')

6. login as normal user and check resource
You have one project on this server: "zitang"
Using project "zitang".
[zitang@localhost ~]$ oc get clusterserviceclass
No resources found.
Error from server (Forbidden): clusterserviceclasses.servicecatalog.k8s.io is forbidden: User "zitang" cannot list clusterserviceclasses.servicecatalog.k8s.io at the cluster scope: no RBAC policy matched
[zitang@localhost ~]$ oc get clusterserviceplan
No resources found.
Error from server (Forbidden): clusterserviceplans.servicecatalog.k8s.io is forbidden: User "zitang" cannot list clusterserviceplans.servicecatalog.k8s.io at the cluster scope: no RBAC policy matched

Actual results:
can not get clusterserviceclass and plan resouce as normal user

Expected results:
normal user can list clusterserviceclass and plan

Additional info:

Comment 1 Jian Zhang 2018-12-20 09:32:12 UTC
Zihan,

> service-catalog: v4.0.0-v0.1.38+7a95e74-2-dirty;Upstream:v0.1.3
> OLM: 0.8.0
Please paste the intact version info. For OLM, please post the git commit info.

I think the root cause is that these `clusterserviceclass` lack of the `annotations: xxx/scope:clusterwide` info.
So, please paste related info in here:
1, The namespace of the Service Catalog running.
2, The OperatorGroup object in the namespace which Service Catalog running.
$oc get operatorgroup xxx -o yaml
3, The detailed info of the `clusterserviceclass`. For example,
$oc get clusterserviceclass xxx -o yaml

Comment 2 Zihan Tang 2018-12-20 09:41:05 UTC
(In reply to Jian Zhang from comment #1)
> Zihan,
> 
> > service-catalog: v4.0.0-v0.1.38+7a95e74-2-dirty;Upstream:v0.1.3
> > OLM: 0.8.0
> Please paste the intact version info. For OLM, please post the git commit
> info.
OLM version: 0.8.0
git commit: efcc72c

> I think the root cause is that these `clusterserviceclass` lack of the
> `annotations: xxx/scope:clusterwide` info.
> So, please paste related info in here:
> 1, The namespace of the Service Catalog running.
kube-service-catalog
> 2, The OperatorGroup object in the namespace which Service Catalog running.
> $oc get operatorgroup xxx -o yaml
[root@ip-10-0-8-170 ~]# oc get operatorgroup service-catalog -o yaml
apiVersion: operators.coreos.com/v1alpha2
kind: OperatorGroup
metadata:
  creationTimestamp: 2018-12-20T05:57:02Z
  generation: 1
  name: service-catalog
  namespace: kube-service-catalog
  resourceVersion: "109683"
  selfLink: /apis/operators.coreos.com/v1alpha2/namespaces/kube-service-catalog/operatorgroups/service-catalog
  uid: 1257f2a5-041c-11e9-adca-0a6b65701564
spec:
  selector:
    matchLabels:
      ns: kube-service-catalog
status:
  lastUpdated: 2018-12-20T05:57:02Z
  namespaces:
  - kube-service-catalog
> 3, The detailed info of the `clusterserviceclass`. For example,
> $oc get clusterserviceclass xxx -o yaml
[root@ip-10-0-8-170 ~]# oc get clusterserviceclass f6c4486b7fb0cdac4b58e193607f7011 -o yaml
apiVersion: servicecatalog.k8s.io/v1beta1
kind: ClusterServiceClass
metadata:
  creationTimestamp: 2018-12-20T06:47:58Z
  name: f6c4486b7fb0cdac4b58e193607f7011
  ownerReferences:
  - apiVersion: servicecatalog.k8s.io/v1beta1
    blockOwnerDeletion: false
    controller: true
    kind: ClusterServiceBroker
    name: automation-broker
    uid: 26b91afc-0423-11e9-bf1b-0a580a800015
  resourceVersion: "77"
  selfLink: /apis/servicecatalog.k8s.io/v1beta1/clusterserviceclasses/f6c4486b7fb0cdac4b58e193607f7011
  uid: 2ffd3668-0423-11e9-bf1b-0a580a800015
spec:
  bindable: false
  bindingRetrievable: false
  clusterServiceBrokerName: automation-broker
  description: Mediawiki apb implementation
  externalID: f6c4486b7fb0cdac4b58e193607f7011
  externalMetadata:
    console.openshift.io/iconClass: icon-mediawiki
    dependencies:
    - docker.io/ansibleplaybookbundle/mediawiki:latest
    displayName: Mediawiki (APB)
    documentationUrl: https://www.mediawiki.org/wiki/Documentation
    longDescription: An apb that deploys Mediawiki
    providerDisplayName: Red Hat, Inc.
  externalName: dh-mediawiki-apb
  planUpdatable: false
status:
  removedFromBrokerCatalog: false

Comment 3 Jian Zhang 2018-12-20 14:40:46 UTC
Zihan,

Thanks for your information! From the OperatorGroup you showed above, it just did watch the namespace "kube-service-catalog".
But, you tried to use the "clusterserviceclass" resource in namespace "zitang". It's not allowed.
So, please modify your operatorgroup object to watch all namespace. And, have a try.

Comment 4 Zihan Tang 2018-12-21 08:59:32 UTC
I tried some workaround, but it still not work.
1. edit operatorgourpspec:
  selector:
    matchLabels:
      ns: zitang
2. edit the clusterserviceclass, add 'annotations'
apiVersion: servicecatalog.k8s.io/v1beta1
kind: ClusterServiceClass
metadata:
  creationTimestamp: 2018-12-21T05:40:09Z
  name: ddd528762894b277001df310a126d5ad
  annotations:
    servicecatalog.k8s.io/scope:"clusterwide"
It can not be edited.

This issue block some critical cases, so add testblocker keywords.

Comment 5 Zihan Tang 2018-12-26 03:38:14 UTC
Many critical and high priority cases which to provision apb are using 'normal' user to run. So change the bug Priority to High.

Comment 6 Zhang Cheng 2019-01-17 01:43:35 UTC
I'm promoting priority to 'urgent' since this issue is blocking 85% automation test.

Comment 7 Jay Boyd 2019-01-17 18:58:06 UTC
after following step 5 in the description I still can't login with non admin users, I get the error "Login failed (401 Unauthorized), Verify you have provided correct credentials."  Are there any additional steps required outside of what is specified in the description?


I believe the issue you are seeing will be addressed by `oc create -f` with the content from http://pastebin.test.redhat.com/665077   We're missing some roles that will be created when https://jira.coreos.com/browse/SERCAT-9 is completed.

Comment 8 Zihan Tang 2019-01-18 08:35:21 UTC
I tried the workaround again, it works in my env.
openshift-build: 0.10.0
Cluster version is Cluster version is 4.0.0-0.1

workaround: 
# oc patch kubeapiserveroperatorconfig instance -p '{"spec":{"unsupportedConfigOverrides": {"oauthConfig": {"identityProviders": [{"challenge": true,"login": true,"name": "anypassword","provider": {"apiVersion": "osin.config.openshift.io/v1","kind": "AllowAllPasswordIdentityProvider"}}],"masterCA": "/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt","masterPublicURL": "${url see note}","masterURL": "${url see note}"}}}}' --type merge  

note url == $(oc --config="$KUBECONFIG" status | grep -o 'https.*')

[core@ip-10-0-31-107 ~]$ oc patch kubeapiserveroperatorconfig instance -p '{"spec":{"unsupportedConfigOverrides": {"oauthConfig": {"identityProviders": [{"challenge": true,"login": true,"name": "anypassword","provider": {"apiVersion": "osin.config.openshift.io/v1","kind": "AllowAllPasswordIdentityProvider"}}],"masterCA": "/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt","masterPublicURL": "https://zitang1-api.qe.devcluster.openshift.com:6443","masterURL": "https://zitang1-api.qe.devcluster.openshift.com:6443"}}}}' --type merge  
kubeapiserveroperatorconfig.kubeapiserver.operator.openshift.io/instance patched


after patch the config, it become: 
$ oc get kubeapiserveroperatorconfig instance -o yaml

  unsupportedConfigOverrides:
    oauthConfig:
      identityProviders:
      - challenge: true
        login: true
        name: anypassword
        provider:
          apiVersion: osin.config.openshift.io/v1
          kind: AllowAllPasswordIdentityProvider
      masterCA: /etc/kubernetes/static-pod-resources/configmaps/client-ca/ca-bundle.crt
      masterPublicURL: https://zitang1-api.qe.devcluster.openshift.com:6443
      masterURL: https://zitang1-api.qe.devcluster.openshift.com:6443


Then I tried login as a normal user from client
[root@dhcp-140-42 installer]# oc login -u zitang -p dddd --server https://zitang1-api.qe.devcluster.openshift.com:6443
The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): y

Login successful.

You don't have any projects. You can try to create a new project, by running

    oc new-project <projectname>

check the users in server:
[core@ip-10-0-31-107 ~]$ oc get users
NAME      UID                                    FULL NAME   IDENTITIES
zitang    982c0430-1af3-11e9-ad07-0a580a800016               anypassword:zitang

I tried in 4.0.0-0.1 again, still can not list clusterserviceclass.
[root@dhcp-140-42 installer]# oc get clusterserviceclass
No resources found.
Error from server (Forbidden): clusterserviceclasses.servicecatalog.k8s.io is forbidden: User "zitang" cannot list clusterserviceclasses.servicecatalog.k8s.io at the cluster scope: no RBAC policy matched

Comment 9 Jay Boyd 2019-01-18 14:52:33 UTC
Thanks Zihan.  How are you creating the user?  My `oc get users` is not showing any identities but from your output it is:

$ oc create user joe
user.user.openshift.io/joe created

$ oc get users
NAME      UID                                    FULL NAME   IDENTITIES
jay       f1dd0405-1a86-11e9-8fff-0a580a820010               
joe       56026793-1b2b-11e9-98b3-0a580a800011               

$ oc login -u joe -p dddd --server https://jaboyd5-api.devcluster.openshift.com:6443
Login failed (401 Unauthorized)
Verify you have provided correct credentials.


and same result if I try to login with any other non-created user.


snippet from `oc get kubeapiserveroperatorconfig instance -o yaml`
  unsupportedConfigOverrides:
    oauthConfig:
      identityProviders:
      - challenge: true
        login: true
        name: anypassword
        provider:
          apiVersion: v1
          kind: AllowAllPasswordIdentityProvider
      masterCA: /etc/kubernetes/static-pod-resources/configmaps/client-ca/ca-bundle.crt
      masterPublicURL: https://jaboyd5-api.devcluster.openshift.com:6443
      masterURL: https://jaboyd5-api.devcluster.openshift.com:6443


I see the pastebin link I sent has expired.  Could you please try again with the rbac.yaml attached to this BZ?

$ oc create -f rbac.yaml

Comment 10 Jay Boyd 2019-01-18 14:54:10 UTC
Created attachment 1521558 [details]
rbac yaml that adds missing roles and bindings allowing non-system users to work with Service Catalog objects

Comment 11 Zihan Tang 2019-01-21 03:17:17 UTC
Jay,
After setting 'allowall' auth type, do NOT need to create users, just login via oc or console with any user and password, then the server will create the user automatically.

Comment 12 Jay Boyd 2019-01-25 20:46:04 UTC
I just ran through this today.  Almost working.  After installing Service Catalog through the Operator Hub apply the rbac as describe in https://gist.github.com/jboyd01/f1897420ff998951da46c73c128ff1ca  and you should have a functional Service Catalog that also works with non-admin users.   I'll close this once we have the RBAC issue addressed.

Comment 13 Zihan Tang 2019-01-28 06:30:26 UTC
I tried in 4.0.0-0.alpha-2019-01-27-170606. This workaround working. Remove TestBlocker tag.
1. Install service catalog through Operator Hub in web console
2. create ups-broker
then login as non-admin user, it can list clusterserviceclass /clusterserviceplan .

[zitang@localhost v3-testfiles]$ oc login --server https://zitang-api.qe.devcluster.openshift.com:6443
The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): y

Authentication required for https://zitang-api.qe.devcluster.openshift.com:6443 (openshift)
Username: zitang
Password: 
Login successful.

You don't have any projects. You can try to create a new project, by running

    oc new-project <projectname>

[zitang@localhost v3-testfiles]$ oc get clusterserviceclass
NAME                                   EXTERNAL-NAME                        BROKER       AGE
4f6e6cf6-ffdd-425f-a2c7-3c9258ad2468   user-provided-service                ups-broker   16s
5f6e6cf6-ffdd-425f-a2c7-3c9258ad2468   user-provided-service-single-plan    ups-broker   16s
8a6229d4-239e-4790-ba1f-8367004d0473   user-provided-service-with-schemas   ups-broker   16s
[zitang@localhost v3-testfiles]$ oc get clusterserviceplan
NAME                                   EXTERNAL-NAME   BROKER       CLASS                                  AGE
4dbcd97c-c9d2-4c6b-9503-4401a789b558   default         ups-broker   8a6229d4-239e-4790-ba1f-8367004d0473   22s
86064792-7ea2-467b-af93-ac9694d96d52   default         ups-broker   4f6e6cf6-ffdd-425f-a2c7-3c9258ad2468   22s
96064792-7ea2-467b-af93-ac9694d96d52   default         ups-broker   5f6e6cf6-ffdd-425f-a2c7-3c9258ad2468   22s
cc0d7529-18e8-416d-8946-6f7456acd589   premium         ups-broker   4f6e6cf6-ffdd-425f-a2c7-3c9258ad2468   22s

Comment 15 Zihan Tang 2019-02-22 07:19:24 UTC
Jay,
With your workaround in #comment14, normal user still can not list serviceinstance and servicebindings.
[zitang@dhcp-140-42 catbrokers4]$ oc get serviceinstance
Error from server (Forbidden): serviceinstances.servicecatalog.k8s.io is forbidden: User "pm1" cannot list resource "serviceinstances" in API group "servicecatalog.k8s.io" in the namespace "default"
[zitang@dhcp-140-42 catbrokers4]$ oc get servicebinding
Error from server (Forbidden): servicebindings.servicecatalog.k8s.io is forbidden: User "pm1" cannot list resource "servicebindings" in API group "servicecatalog.k8s.io" in the namespace "default"

Comment 16 Zihan Tang 2019-02-22 07:31:42 UTC
Sorry, please ignore #comment15, normal user can list serviceinstance and serviciebinding in his owned project.

Comment 17 Zihan Tang 2019-02-26 03:18:42 UTC
In 4.0.0-0.nightly-2019-02-25-194625, svcat is installed by CVO.  

$ oc get clusterrole | grep catalog
service-catalog-controller                                                          64m
servicecatalog-serviceclass-viewer                                                  64m
servicecatalog.k8s.io:service-catalog-readiness                                     64m
system:service-catalog:aggregate-to-admin                                           64m
system:service-catalog:aggregate-to-edit                                            64m
system:service-catalog:aggregate-to-view                                            64m

Normal user can list clusterserviceclass/plan 

This is fixed.

Comment 18 Jay Boyd 2019-02-26 13:30:37 UTC
Comment from #17 indicates fixed but still in assigned state.  Zihan I'm setting this to ON_QA.  Thanks!

Comment 19 Zihan Tang 2019-02-27 02:24:59 UTC
According to #comment17, mark as VERIFIED.

Comment 23 errata-xmlrpc 2019-06-04 10:41:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758


Note You need to log in before you can comment on or make changes to this bug.