+++ This bug was initially created as a clone of Bug #1787504 +++ Description of problem: cannot impersonate the user group on console Version-Release number of selected component (if applicable): 4.3.0-0.nightly-2020-01-02-214950 How reproducible: Always Steps to Reproduce: 1. create group $ cat group1.yaml kind: Group apiVersion: user.openshift.io/v1 metadata: name: group1 users: - testuser-26 - testuser-27 2. create rolebinding for group $ cat hashapro1-rb.yaml kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hashapro1-rb namespace: hasha-pro1 subjects: - kind: Group apiGroup: rbac.authorization.k8s.io name: group1 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: admin 3. goto User management->group->group1->role binding list page, click "Impersonate Group "group1" action of hashapro1-rb rolebinding Actual results: 3. The page always loading till you do click on a page, see screeshot. get error like: /api/kubernetes/apis/config.openshift.io/v1/infrastructures/cluster:1 Failed to load resource: the server responded with a status of 403 (Forbidden) Expected results: kubeadmin impersonated as group1 have hasha-pro1 project admin permission only. Additional info: kubeadmin login via cli: $ oc get po --as=testuser-26 --as-group=group1 Error from server (Forbidden): pods is forbidden: User "testuser-26" cannot list resource "pods" in API group "" in the namespace "default" $ oc get po -n hasha-pro1 --as=testuser-26 --as-group=group1 NAME READY STATUS RESTARTS AGE example-75778c488-k269c 1/1 Running 0 15s example-75778c488-lrdnx 1/1 Running 0 15s example-75778c488-zzxcj 1/1 Running 0 15s
1. create group $ cat group1.yaml kind: Group apiVersion: user.openshift.io/v1 metadata: name: group1 users: - testuser-26 - testuser-27 2. create rolebinding for group $ cat hashapro1-rb.yaml kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hashapro1-rb namespace: hasha-pro1 subjects: - kind: Group apiGroup: rbac.authorization.k8s.io name: group1 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: admin 3. goto User management->group->group1->role binding list page, click "Impersonate Group "group1" action of hashapro1-rb rolebinding now console can impersonate the user group without click 4.3.0-0.nightly-2020-02-27-225047
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0676