Bug 1800331 - cannot impersonate the user group on console [openshift-4.3.z]
Summary: cannot impersonate the user group on console [openshift-4.3.z]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.3.z
Assignee: Samuel Padgett
QA Contact: shahan
URL:
Whiteboard:
Depends On: 1787504
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-02-06 21:19 UTC by bpeterse
Modified: 2020-03-10 23:54 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1787504
Environment:
Last Closed: 2020-03-10 23:53:52 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift console pull 4238 None closed [release-4.3] Bug 1800331: include `system:authenticated` when impersonating groups 2020-04-30 06:39:43 UTC
Red Hat Product Errata RHBA-2020:0676 None None None 2020-03-10 23:54:00 UTC

Description bpeterse 2020-02-06 21:19:18 UTC
+++ This bug was initially created as a clone of Bug #1787504 +++

Description of problem:
cannot impersonate the user group on console

Version-Release number of selected component (if applicable):
4.3.0-0.nightly-2020-01-02-214950

How reproducible:
Always

Steps to Reproduce:
1. create group
$ cat group1.yaml
kind: Group
apiVersion: user.openshift.io/v1
metadata:
  name: group1
users:
  - testuser-26
  - testuser-27
2. create rolebinding for group
$ cat hashapro1-rb.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: hashapro1-rb
  namespace: hasha-pro1
subjects:
  - kind: Group
    apiGroup: rbac.authorization.k8s.io
    name: group1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
3. goto User management->group->group1->role binding list page, click "Impersonate Group "group1" action of hashapro1-rb rolebinding

Actual results:
3. The page always loading till you do click on a page, see screeshot.
get error like: 
/api/kubernetes/apis/config.openshift.io/v1/infrastructures/cluster:1 Failed to load resource: the server responded with a status of 403 (Forbidden)

Expected results:
kubeadmin impersonated as group1 have hasha-pro1 project admin permission only.

Additional info:
kubeadmin login via cli:
$ oc get po --as=testuser-26 --as-group=group1
Error from server (Forbidden): pods is forbidden: User "testuser-26" cannot list resource "pods" in API group "" in the namespace "default"

$ oc get po -n hasha-pro1 --as=testuser-26 --as-group=group1
NAME                      READY   STATUS    RESTARTS   AGE
example-75778c488-k269c   1/1     Running   0          15s
example-75778c488-lrdnx   1/1     Running   0          15s
example-75778c488-zzxcj   1/1     Running   0          15s

Comment 3 shahan 2020-02-28 07:15:47 UTC
1. create group
$ cat group1.yaml
kind: Group
apiVersion: user.openshift.io/v1
metadata:
  name: group1
users:
  - testuser-26
  - testuser-27
2. create rolebinding for group
$ cat hashapro1-rb.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: hashapro1-rb
  namespace: hasha-pro1
subjects:
  - kind: Group
    apiGroup: rbac.authorization.k8s.io
    name: group1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
3. goto User management->group->group1->role binding list page, click "Impersonate Group "group1" action of hashapro1-rb rolebinding
 now console can impersonate the user group without click

4.3.0-0.nightly-2020-02-27-225047

Comment 5 errata-xmlrpc 2020-03-10 23:53:52 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0676


Note You need to log in before you can comment on or make changes to this bug.