Description of problem: In next-gen installer env, a normal user can not list clusterserviceclass and clusterserviceplan resource from automation-broker Version-Release number of selected component (if applicable): openshift-install v0.7.0 service-catalog: v4.0.0-v0.1.38+7a95e74-2-dirty;Upstream:v0.1.3 OLM: 0.8.0 asb-operator: docker.io/automationbroker/automation-broker-operator@sha256:5081a4c0d63b14235073389160e5536f86435d844dc64e598667352f0a378440 asb: 1.3.20 How reproducible: always Steps to Reproduce: 1. install okd 4.0 by next-gen installer 2. install service-catalog from OLM 3. install automation-broker from OLM 4. check clusterserviceclass and clusterserviceplan resource as system:admin # oc get clusterserviceclass NAME EXTERNAL-NAME BROKER AGE 08ccf37be271fba38b1a70f87302297f dh-rhpam-apb automation-broker 53m 09628db4757fd1a2db85d465106b9f82 dh-gluster-s3-apb automation-broker 53m 0e991006d21029e47abe71acc255e807 dh-pyzip-demo-apb automation-broker 53m 5. workaround for allowall idp 4.0 oauthconfig # oc patch kubeapiserveroperatorconfig instance -p '{"spec":{"unsupportedConfigOverrides": {"oauthConfig": {"identityProviders": [{"challenge": true,"login": true,"name": "anypassword","provider": {"apiVersion": "v1","kind": "AllowAllPasswordIdentityProvider"}}],"masterCA": "/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt","masterPublicURL": "${url-see note}","masterURL": "${url-see note}"}}}}' --type merge note: url == $(oc --config="$KUBECONFIG" status | grep -o 'https.*') 6. login as normal user and check resource You have one project on this server: "zitang" Using project "zitang". [zitang@localhost ~]$ oc get clusterserviceclass No resources found. Error from server (Forbidden): clusterserviceclasses.servicecatalog.k8s.io is forbidden: User "zitang" cannot list clusterserviceclasses.servicecatalog.k8s.io at the cluster scope: no RBAC policy matched [zitang@localhost ~]$ oc get clusterserviceplan No resources found. Error from server (Forbidden): clusterserviceplans.servicecatalog.k8s.io is forbidden: User "zitang" cannot list clusterserviceplans.servicecatalog.k8s.io at the cluster scope: no RBAC policy matched Actual results: can not get clusterserviceclass and plan resouce as normal user Expected results: normal user can list clusterserviceclass and plan Additional info:
Zihan, > service-catalog: v4.0.0-v0.1.38+7a95e74-2-dirty;Upstream:v0.1.3 > OLM: 0.8.0 Please paste the intact version info. For OLM, please post the git commit info. I think the root cause is that these `clusterserviceclass` lack of the `annotations: xxx/scope:clusterwide` info. So, please paste related info in here: 1, The namespace of the Service Catalog running. 2, The OperatorGroup object in the namespace which Service Catalog running. $oc get operatorgroup xxx -o yaml 3, The detailed info of the `clusterserviceclass`. For example, $oc get clusterserviceclass xxx -o yaml
(In reply to Jian Zhang from comment #1) > Zihan, > > > service-catalog: v4.0.0-v0.1.38+7a95e74-2-dirty;Upstream:v0.1.3 > > OLM: 0.8.0 > Please paste the intact version info. For OLM, please post the git commit > info. OLM version: 0.8.0 git commit: efcc72c > I think the root cause is that these `clusterserviceclass` lack of the > `annotations: xxx/scope:clusterwide` info. > So, please paste related info in here: > 1, The namespace of the Service Catalog running. kube-service-catalog > 2, The OperatorGroup object in the namespace which Service Catalog running. > $oc get operatorgroup xxx -o yaml [root@ip-10-0-8-170 ~]# oc get operatorgroup service-catalog -o yaml apiVersion: operators.coreos.com/v1alpha2 kind: OperatorGroup metadata: creationTimestamp: 2018-12-20T05:57:02Z generation: 1 name: service-catalog namespace: kube-service-catalog resourceVersion: "109683" selfLink: /apis/operators.coreos.com/v1alpha2/namespaces/kube-service-catalog/operatorgroups/service-catalog uid: 1257f2a5-041c-11e9-adca-0a6b65701564 spec: selector: matchLabels: ns: kube-service-catalog status: lastUpdated: 2018-12-20T05:57:02Z namespaces: - kube-service-catalog > 3, The detailed info of the `clusterserviceclass`. For example, > $oc get clusterserviceclass xxx -o yaml [root@ip-10-0-8-170 ~]# oc get clusterserviceclass f6c4486b7fb0cdac4b58e193607f7011 -o yaml apiVersion: servicecatalog.k8s.io/v1beta1 kind: ClusterServiceClass metadata: creationTimestamp: 2018-12-20T06:47:58Z name: f6c4486b7fb0cdac4b58e193607f7011 ownerReferences: - apiVersion: servicecatalog.k8s.io/v1beta1 blockOwnerDeletion: false controller: true kind: ClusterServiceBroker name: automation-broker uid: 26b91afc-0423-11e9-bf1b-0a580a800015 resourceVersion: "77" selfLink: /apis/servicecatalog.k8s.io/v1beta1/clusterserviceclasses/f6c4486b7fb0cdac4b58e193607f7011 uid: 2ffd3668-0423-11e9-bf1b-0a580a800015 spec: bindable: false bindingRetrievable: false clusterServiceBrokerName: automation-broker description: Mediawiki apb implementation externalID: f6c4486b7fb0cdac4b58e193607f7011 externalMetadata: console.openshift.io/iconClass: icon-mediawiki dependencies: - docker.io/ansibleplaybookbundle/mediawiki:latest displayName: Mediawiki (APB) documentationUrl: https://www.mediawiki.org/wiki/Documentation longDescription: An apb that deploys Mediawiki providerDisplayName: Red Hat, Inc. externalName: dh-mediawiki-apb planUpdatable: false status: removedFromBrokerCatalog: false
Zihan, Thanks for your information! From the OperatorGroup you showed above, it just did watch the namespace "kube-service-catalog". But, you tried to use the "clusterserviceclass" resource in namespace "zitang". It's not allowed. So, please modify your operatorgroup object to watch all namespace. And, have a try.
I tried some workaround, but it still not work. 1. edit operatorgourpspec: selector: matchLabels: ns: zitang 2. edit the clusterserviceclass, add 'annotations' apiVersion: servicecatalog.k8s.io/v1beta1 kind: ClusterServiceClass metadata: creationTimestamp: 2018-12-21T05:40:09Z name: ddd528762894b277001df310a126d5ad annotations: servicecatalog.k8s.io/scope:"clusterwide" It can not be edited. This issue block some critical cases, so add testblocker keywords.
Many critical and high priority cases which to provision apb are using 'normal' user to run. So change the bug Priority to High.
I'm promoting priority to 'urgent' since this issue is blocking 85% automation test.
after following step 5 in the description I still can't login with non admin users, I get the error "Login failed (401 Unauthorized), Verify you have provided correct credentials." Are there any additional steps required outside of what is specified in the description? I believe the issue you are seeing will be addressed by `oc create -f` with the content from http://pastebin.test.redhat.com/665077 We're missing some roles that will be created when https://jira.coreos.com/browse/SERCAT-9 is completed.
I tried the workaround again, it works in my env. openshift-build: 0.10.0 Cluster version is Cluster version is 4.0.0-0.1 workaround: # oc patch kubeapiserveroperatorconfig instance -p '{"spec":{"unsupportedConfigOverrides": {"oauthConfig": {"identityProviders": [{"challenge": true,"login": true,"name": "anypassword","provider": {"apiVersion": "osin.config.openshift.io/v1","kind": "AllowAllPasswordIdentityProvider"}}],"masterCA": "/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt","masterPublicURL": "${url see note}","masterURL": "${url see note}"}}}}' --type merge note url == $(oc --config="$KUBECONFIG" status | grep -o 'https.*') [core@ip-10-0-31-107 ~]$ oc patch kubeapiserveroperatorconfig instance -p '{"spec":{"unsupportedConfigOverrides": {"oauthConfig": {"identityProviders": [{"challenge": true,"login": true,"name": "anypassword","provider": {"apiVersion": "osin.config.openshift.io/v1","kind": "AllowAllPasswordIdentityProvider"}}],"masterCA": "/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt","masterPublicURL": "https://zitang1-api.qe.devcluster.openshift.com:6443","masterURL": "https://zitang1-api.qe.devcluster.openshift.com:6443"}}}}' --type merge kubeapiserveroperatorconfig.kubeapiserver.operator.openshift.io/instance patched after patch the config, it become: $ oc get kubeapiserveroperatorconfig instance -o yaml unsupportedConfigOverrides: oauthConfig: identityProviders: - challenge: true login: true name: anypassword provider: apiVersion: osin.config.openshift.io/v1 kind: AllowAllPasswordIdentityProvider masterCA: /etc/kubernetes/static-pod-resources/configmaps/client-ca/ca-bundle.crt masterPublicURL: https://zitang1-api.qe.devcluster.openshift.com:6443 masterURL: https://zitang1-api.qe.devcluster.openshift.com:6443 Then I tried login as a normal user from client [root@dhcp-140-42 installer]# oc login -u zitang -p dddd --server https://zitang1-api.qe.devcluster.openshift.com:6443 The server uses a certificate signed by an unknown authority. You can bypass the certificate check, but any data you send to the server could be intercepted by others. Use insecure connections? (y/n): y Login successful. You don't have any projects. You can try to create a new project, by running oc new-project <projectname> check the users in server: [core@ip-10-0-31-107 ~]$ oc get users NAME UID FULL NAME IDENTITIES zitang 982c0430-1af3-11e9-ad07-0a580a800016 anypassword:zitang I tried in 4.0.0-0.1 again, still can not list clusterserviceclass. [root@dhcp-140-42 installer]# oc get clusterserviceclass No resources found. Error from server (Forbidden): clusterserviceclasses.servicecatalog.k8s.io is forbidden: User "zitang" cannot list clusterserviceclasses.servicecatalog.k8s.io at the cluster scope: no RBAC policy matched
Thanks Zihan. How are you creating the user? My `oc get users` is not showing any identities but from your output it is: $ oc create user joe user.user.openshift.io/joe created $ oc get users NAME UID FULL NAME IDENTITIES jay f1dd0405-1a86-11e9-8fff-0a580a820010 joe 56026793-1b2b-11e9-98b3-0a580a800011 $ oc login -u joe -p dddd --server https://jaboyd5-api.devcluster.openshift.com:6443 Login failed (401 Unauthorized) Verify you have provided correct credentials. and same result if I try to login with any other non-created user. snippet from `oc get kubeapiserveroperatorconfig instance -o yaml` unsupportedConfigOverrides: oauthConfig: identityProviders: - challenge: true login: true name: anypassword provider: apiVersion: v1 kind: AllowAllPasswordIdentityProvider masterCA: /etc/kubernetes/static-pod-resources/configmaps/client-ca/ca-bundle.crt masterPublicURL: https://jaboyd5-api.devcluster.openshift.com:6443 masterURL: https://jaboyd5-api.devcluster.openshift.com:6443 I see the pastebin link I sent has expired. Could you please try again with the rbac.yaml attached to this BZ? $ oc create -f rbac.yaml
Created attachment 1521558 [details] rbac yaml that adds missing roles and bindings allowing non-system users to work with Service Catalog objects
Jay, After setting 'allowall' auth type, do NOT need to create users, just login via oc or console with any user and password, then the server will create the user automatically.
I just ran through this today. Almost working. After installing Service Catalog through the Operator Hub apply the rbac as describe in https://gist.github.com/jboyd01/f1897420ff998951da46c73c128ff1ca and you should have a functional Service Catalog that also works with non-admin users. I'll close this once we have the RBAC issue addressed.
I tried in 4.0.0-0.alpha-2019-01-27-170606. This workaround working. Remove TestBlocker tag. 1. Install service catalog through Operator Hub in web console 2. create ups-broker then login as non-admin user, it can list clusterserviceclass /clusterserviceplan . [zitang@localhost v3-testfiles]$ oc login --server https://zitang-api.qe.devcluster.openshift.com:6443 The server uses a certificate signed by an unknown authority. You can bypass the certificate check, but any data you send to the server could be intercepted by others. Use insecure connections? (y/n): y Authentication required for https://zitang-api.qe.devcluster.openshift.com:6443 (openshift) Username: zitang Password: Login successful. You don't have any projects. You can try to create a new project, by running oc new-project <projectname> [zitang@localhost v3-testfiles]$ oc get clusterserviceclass NAME EXTERNAL-NAME BROKER AGE 4f6e6cf6-ffdd-425f-a2c7-3c9258ad2468 user-provided-service ups-broker 16s 5f6e6cf6-ffdd-425f-a2c7-3c9258ad2468 user-provided-service-single-plan ups-broker 16s 8a6229d4-239e-4790-ba1f-8367004d0473 user-provided-service-with-schemas ups-broker 16s [zitang@localhost v3-testfiles]$ oc get clusterserviceplan NAME EXTERNAL-NAME BROKER CLASS AGE 4dbcd97c-c9d2-4c6b-9503-4401a789b558 default ups-broker 8a6229d4-239e-4790-ba1f-8367004d0473 22s 86064792-7ea2-467b-af93-ac9694d96d52 default ups-broker 4f6e6cf6-ffdd-425f-a2c7-3c9258ad2468 22s 96064792-7ea2-467b-af93-ac9694d96d52 default ups-broker 5f6e6cf6-ffdd-425f-a2c7-3c9258ad2468 22s cc0d7529-18e8-416d-8946-6f7456acd589 premium ups-broker 4f6e6cf6-ffdd-425f-a2c7-3c9258ad2468 22s
Jay, With your workaround in #comment14, normal user still can not list serviceinstance and servicebindings. [zitang@dhcp-140-42 catbrokers4]$ oc get serviceinstance Error from server (Forbidden): serviceinstances.servicecatalog.k8s.io is forbidden: User "pm1" cannot list resource "serviceinstances" in API group "servicecatalog.k8s.io" in the namespace "default" [zitang@dhcp-140-42 catbrokers4]$ oc get servicebinding Error from server (Forbidden): servicebindings.servicecatalog.k8s.io is forbidden: User "pm1" cannot list resource "servicebindings" in API group "servicecatalog.k8s.io" in the namespace "default"
Sorry, please ignore #comment15, normal user can list serviceinstance and serviciebinding in his owned project.
In 4.0.0-0.nightly-2019-02-25-194625, svcat is installed by CVO. $ oc get clusterrole | grep catalog service-catalog-controller 64m servicecatalog-serviceclass-viewer 64m servicecatalog.k8s.io:service-catalog-readiness 64m system:service-catalog:aggregate-to-admin 64m system:service-catalog:aggregate-to-edit 64m system:service-catalog:aggregate-to-view 64m Normal user can list clusterserviceclass/plan This is fixed.
Comment from #17 indicates fixed but still in assigned state. Zihan I'm setting this to ON_QA. Thanks!
According to #comment17, mark as VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0758