Bug 1802577 - project.spec.projectRequestMessage not applied in all places
Summary: project.spec.projectRequestMessage not applied in all places
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 4.5
Hardware: All
OS: All
unspecified
medium
Target Milestone: ---
: 4.5.0
Assignee: Robb Hamilton
QA Contact: Yadan Pei
URL:
Whiteboard:
Depends On:
Blocks: 1806585
TreeView+ depends on / blocked
 
Reported: 2020-02-13 12:38 UTC by Olimp Bockowski
Modified: 2020-05-04 11:36 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 1804708 1806585 (view as bug list)
Environment:
Last Closed: 2020-05-04 11:36:23 UTC
Target Upstream Version:


Attachments (Terms of Use)
No Create Project Button (255.55 KB, image/png)
2020-03-06 05:47 UTC, Yadan Pei
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github openshift console pull 4358 0 None closed Bug 1802577: only show "Create Project" option in project dropdown i… 2021-01-04 04:27:12 UTC
Red Hat Product Errata RHBA-2020:0581 0 None None None 2020-05-04 11:36:42 UTC

Description Olimp Bockowski 2020-02-13 12:38:51 UTC
Description of problem:

According to doc: "When a developer or a service account that is unable to self-provision projects makes a project creation request using the web console or CLI, the following error message is returned by default: "You may not request a new project via this API."

https://access.redhat.com/documentation/en-us/openshift_container_platform/4.3/html/applications/projects#customizing-project-request-message_configuring-project-creation

Using project.spec.projectRequestMessage we can set some message

But it is not applied properly to all components and this is inconsistent with "oc" (the behavior is quite the opposite)

HOW IT WORKS:
1.  for "oc" command you login and no message -> I would expect we have info, but nothing. However, when you create new-project you get a message defined in projectRequestMessage.
examples:

[ admin@obockows.brq.csb  /home/obockows/WORK/02578143-project ] $ oc login https://api:6443
You don't have any projects. Contact your system administrator to request a project.

[ admin@obockows.brq.csb  /home/obockows/WORK/02578143-project ] $ /tmp/oc new-project something
Error from server (Forbidden): ask astutus@redhat.com for a new project

the result: we have message defined in projectRequestMessage only when we fail to create a project

2. console:

when we are logged and we are in Home/Projects for Admin or Advanced/Projects for Developer view, we have:

Welcome to OpenShift
ask astutus@redhat.com for a new project

however, when we make an attempt to create a new project we have what you've seen, e.g.
"An error occurred projectrequests.project.openshift.io is forbidden: User "olimpb.bockowski" cannot create resource "projectrequests" in API group "project.openshift.io" at the cluster scope"

^^ here should be the message as well
Moreover, the web console shows the defined message only if you don't have a project yet. If you already have one, you don't get the message at all. 

Remarkable is the fact that in Openshift 3.x the project creation link is removed in favor of the defined message when project self-provisioning is disabled. 

The odd is inconsistency between console and CLI, if it behaves in sone way, it should be the same. I am quite convinced it should be unified and both for console and oc the same. 

Version-Release number of selected component (if applicable):
4.x

Additional info:
I was thinking should it be RE/RFE or bug, however, it looks like a bug because project.spec.projectRequestMessage wasn't put it all web components it should be. 
Moreover, we have still "An error occurred projectrequests.project.openshift.io is forbidden" when we try to use a button.

Comment 1 Olimp Bockowski 2020-02-13 13:02:44 UTC
btw we could also consider a different approach, e.g. should a project creation button is visible in console after self-provisioning disabled -> up to UX folks

Comment 2 Robb Hamilton 2020-02-18 20:07:05 UTC
Per Serena Nichols in UXD, the "Create Project" button should not be visible if self-provisioning is disabled.  Currently, "Create Project" is always visible in the project selection dropdown, which I will fix.

Comment 5 Yadan Pei 2020-02-24 07:41:41 UTC
1. Disabling project self-provisioning
# oc patch clusterrolebinding.rbac self-provisioners -p '{"subjects": null}'
clusterrolebinding.rbac.authorization.k8s.io/self-provisioners patched
# oc patch clusterrolebinding.rbac self-provisioners -p '{ "metadata": { "annotations": { "rbac.authorization.kubernetes.io/autoupdate": "false" } } }'
# oc describe clusterrolebinding.rbac self-provisioners
Name:         self-provisioners
Labels:       <none>
Annotations:  rbac.authorization.kubernetes.io/autoupdate: false
Role:
  Kind:  ClusterRole
  Name:  self-provisioner
Subjects:
  Kind  Name  Namespace
  ----  ----  ---------
2. Customize project request message
# oc edit project.config.openshift.io/cluster
project.config.openshift.io/cluster edited
# oc get project.config.openshift.io/cluster -o yaml
apiVersion: config.openshift.io/v1
kind: Project
metadata:
  annotations:
    release.openshift.io/create-only: "true"
  creationTimestamp: "2020-02-24T00:50:30Z"
  generation: 2
  name: cluster
  resourceVersion: "220199"
  selfLink: /apis/config.openshift.io/v1/projects/cluster
  uid: 689ef5c6-97bb-4bc3-b1dd-688ad10c3638
spec:
  projectRequestMessage: This is customized by yapei, please contact her

3. Login via CLI
oc login     https://api.qe-ui-02240831.qe.devcluster.openshift.com:6443 -u yapei1 -p redhat
Login successful.

You don't have any projects. Contact your system administrator to request a project.

4. Login via console, check Workloads -> Deployments , open project dropdown, 'Create Project' button is still listed 

== Check if fix PR is merged in 4.4.0-0.nightly-2020-02-23-191320

# export version=4.4.0-0.nightly-2020-02-23-191320
# oc adm release info registry.svc.ci.openshift.org/ocp/release:$version --pullspecs | grep console
  console                                        quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:5c5c3fba650560e27f29d1ea7f0a31cb6ff527070020bebf98df352f436d495f
  console-operator                               quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:4c8cb2261424a458f4874fdffed95a378f88343b4c1e67e57133942c209328de
# oc image info quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:5c5c3fba650560e27f29d1ea7f0a31cb6ff527070020bebf98df352f436d495f  | grep commit
             io.openshift.build.commit.id=d2821006d2b12f1f365025feeacdbfa6a159902f
             io.openshift.build.commit.url=https://github.com/openshift/console/commit/d2821006d2b12f1f365025feeacdbfa6a159902f
[yapei@New_Mac console]$ git pull
[yapei@New_Mac console]$ git log d2821006d2b12f1f365025feeacdbfa6a159902f | grep '#4358'    // nothing returns

Robb, the fix PR is merged 5 days ago, but we didn't see the fix in any payload until now. Can you help check what's going wrong?

Comment 6 Samuel Padgett 2020-02-24 14:57:28 UTC
The fix is in 4.5 currently. We'll need a separate bug/PR to backport to 4.4.

Comment 7 Yadan Pei 2020-03-06 05:47:45 UTC
Created attachment 1667999 [details]
No Create Project Button

1. Disabling project self-provisioning
# oc patch clusterrolebinding.rbac self-provisioners -p '{"subjects": null}'
clusterrolebinding.rbac.authorization.k8s.io/self-provisioners patched
# oc patch clusterrolebinding.rbac self-provisioners -p '{ "metadata": { "annotations": { "rbac.authorization.kubernetes.io/autoupdate": "false" } } }'
# oc describe clusterrolebinding.rbac self-provisioners
Name:         self-provisioners
Labels:       <none>
Annotations:  rbac.authorization.kubernetes.io/autoupdate: false
Role:
  Kind:  ClusterRole
  Name:  self-provisioner
Subjects:
  Kind  Name  Namespace
  ----  ----  ---------
2. Customize project request message
# oc edit project.config.openshift.io/cluster
project.config.openshift.io/cluster edited
# oc get project.config.openshift.io/cluster -o yaml
apiVersion: config.openshift.io/v1
kind: Project
metadata:
  annotations:
    release.openshift.io/create-only: "true"
  creationTimestamp: "2020-02-24T00:50:30Z"
  generation: 2
  name: cluster
  resourceVersion: "220199"
  selfLink: /apis/config.openshift.io/v1/projects/cluster
  uid: 689ef5c6-97bb-4bc3-b1dd-688ad10c3638
spec:
  projectRequestMessage: This is customized by yapei, please contact her

3. Login via CLI
oc login     https://api.qe-ui-02240831.qe.devcluster.openshift.com:6443 -u yapei1 -p redhat
Login successful.

You don't have any projects. Contact your system administrator to request a project.
# oc new-project yapei1-1
Error from server (Forbidden): This is customized by yapei, please contact her

4. Login via console as user 'yapei1', check Workloads -> Deployments , open project dropdown, no 'Create Project' button in dropdown list

Verified on 4.5.0-0.ci-2020-03-04-223611

Comment 9 errata-xmlrpc 2020-05-04 11:36:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581


Note You need to log in before you can comment on or make changes to this bug.