Bug 1717124 - cluster reader is unable to read configs.samples.operator.openshift.io
Summary: cluster reader is unable to read configs.samples.operator.openshift.io
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Templates
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 4.2.0
Assignee: Gabe Montero
QA Contact: XiuJuan Wang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-06-04 18:06 UTC by Eric Paris
Modified: 2019-10-16 06:31 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: The samples operator was not creating a cluster role that aggregated into the cluster-reader role. Consequence: Users with the cluster-reader role could not read the config object for the samples operator. Fix: The manifest of the samples operator was updated to include a cluster role for read only access to its config object which aggregated into the cluster-reader role. Result: Users with cluster-reader can now read/list/watch the config object for the samples operator.
Clone Of:
Environment:
Last Closed: 2019-10-16 06:31:10 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift cluster-samples-operator pull 160 None closed Bug 1717124: add clusterrole to allow cluster-reader access to the samples config obj 2020-11-20 02:36:47 UTC
Red Hat Product Errata RHBA-2019:2922 None None None 2019-10-16 06:31:26 UTC

Description Eric Paris 2019-06-04 18:06:49 UTC
I'm told that David or Clayton can point you to where to fix this, but the 'cluster-reader' role is unable to read the samples operator config. Since this is not a priv escalation, to read the config, it should be allowed.

Comment 1 Mo 2019-07-23 00:06:52 UTC
(In reply to Eric Paris from comment #0)
> I'm told that David or Clayton can point you to where to fix this, but the
> 'cluster-reader' role is unable to read the samples operator config. Since
> this is not a priv escalation, to read the config, it should be allowed.

Pretty sure this applies to all of the operator resources we have in the operator.openshift.io group.

Comment 2 Mo 2019-07-23 00:07:43 UTC
See

    oc get clusterrole.rbac system:openshift:cluster-config-operator:cluster-reader -o yaml

as example for how the we handle the config resources

Comment 3 Gabe Montero 2019-07-30 15:30:09 UTC
ooh PR ref automatically added with the new git/bugzilla bot

Comment 4 Eric Paris 2019-07-30 16:45:39 UTC
Steve K did some amazing work starting to get these systems to work together.

Comment 6 XiuJuan Wang 2019-08-01 08:41:25 UTC
Verified with 4.2.0-0.nightly-2019-08-01-035705 version. 

Add system:openshift:cluster-samples-operator:cluster-reader clusterrole to a common user.
#oc adm  policy add-cluster-role-to-user system:openshift:cluster-samples-operator:cluster-reader xiuwang1

Then user could fetch the samples operator crd.
$oc whoami 
xiuwang1
$oc get config.samples.operator 
NAME      AGE
cluster   11m
$oc patch config.samples.operator cluster -p '{"spec":{"managementState": "Unmanaged"}}' 
Error from server (Forbidden): configs.samples.operator.openshift.io "cluster" is forbidden: User "xiuwang1" cannot patch resource "configs" in API group "samples.operator.openshift.io" at the cluster scope

Comment 8 errata-xmlrpc 2019-10-16 06:31:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922


Note You need to log in before you can comment on or make changes to this bug.