Bug 1841035 - The regular user should have access right for volumesnapshots.snapshot.storage.k8s.io and volumesnapshotclasses.snapshot.storage.k8s.io APIs
Summary: The regular user should have access right for volumesnapshots.snapshot.storag...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Storage
Version: 4.5
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.6.0
Assignee: Jan Safranek
QA Contact: Wei Duan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-05-28 08:09 UTC by Qin Ping
Modified: 2020-10-27 16:02 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-27 16:01:56 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-csi-snapshot-controller-operator pull 39 0 None closed Bug 1841035: Add permissions to snapshot CRs to various cluster roles 2020-10-28 14:11:31 UTC
Github openshift openshift-apiserver pull 112 0 None closed Bug 1841035: Modify basic-user and storage-admin to be aggregated 2020-10-28 14:11:31 UTC
Github openshift openshift-apiserver pull 113 0 None closed Bug 1841035: Modify basic-user and storage-admin to be aggregated 2020-10-28 14:11:46 UTC
Github openshift origin pull 25137 0 None closed Bug 1841035: Add volumesnapshotclass to default RBAC test 2020-10-28 14:11:46 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:02:36 UTC

Description Qin Ping 2020-05-28 08:09:29 UTC
Description of problem:
The regular user should have access right for volumesnapshots.snapshot.storage.k8s.io and volumesnapshotclasses.snapshot.storage.k8s.io APIs


Version-Release number of selected component (if applicable):
$ oc get clusterversion --context=admin
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.5.0-0.nightly-2020-05-27-040756   True        False         6h9m    Cluster version is 4.5.0-0.nightly-2020-05-27-040756


How reproducible:
Always

Steps to Reproduce:
1. list volumesnapshotclass and volumesnapshot objects with a regular user.
2.
3.

Actual results:
$ oc get volumesnapshots
Error from server (Forbidden): volumesnapshots.snapshot.storage.k8s.io is forbidden: User "testuser-0" cannot list resource "volumesnapshots" in API group "snapshot.storage.k8s.io" in the namespace "default"

$ oc get volumesnapshotclasses
Error from server (Forbidden): volumesnapshotclasses.snapshot.storage.k8s.io is forbidden: User "testuser-0" cannot list resource "volumesnapshotclasses" in API group "snapshot.storage.k8s.io" at the cluster scope


Expected results:
The regular user can list these two types of objects successfully. 

Master Log:

Node Log (of failed PODs):

PV Dump:

PVC Dump:

StorageClass Dump (if StorageClass used by PV/PVC):

Additional info:

Comment 3 Jan Safranek 2020-06-25 13:55:12 UTC
All PRs have been merged.

Comment 6 Wei Duan 2020-07-17 10:07:29 UTC
Verified pass

[wduan@MINT azuredisk]$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2020-07-16-211200   True        False         7h6m    Cluster version is 4.6.0-0.nightly-2020-07-16-211200


Execute as testuser-0
testuser-0 could list the volumesnapshotclasses created by cluster admin
[wduan@MINT azuredisk]$ oc get volumesnapshotclasses
NAME            DRIVER               DELETIONPOLICY   AGE
csi-snapclass   disk.csi.azure.com   Delete           40s

testuser-0 could create/list the volumesnapshot
[wduan@MINT azuredisk]$ oc create -f VolumeSnapshot_withclass.yaml
volumesnapshot.snapshot.storage.k8s.io/mysnapshot01 created
[wduan@MINT azuredisk]$ oc get volumesnapshot mysnapshot01
NAME           READYTOUSE   SOURCEPVC   SOURCESNAPSHOTCONTENT   RESTORESIZE   SNAPSHOTCLASS   SNAPSHOTCONTENT                                    CREATIONTIME   AGE
mysnapshot01   true         pvc-ori                             2Gi           csi-snapclass   snapcontent-a9c6fb76-17f8-44e2-85e5-684d952a1962   4m53s          7m5s

Comment 8 errata-xmlrpc 2020-10-27 16:01:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196


Note You need to log in before you can comment on or make changes to this bug.