Description of problem: Common templates use PVCs from a "golden image" namespace, that are managed by DVs. A User without permissions to DVs from "golden image" namespace can't get managed data bout PVC, for example the PVC upload status. Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. As an admin user start uploading a PVC into the "golden image" namespace using a DV 2. As a regular user try to get the upload status of the PVC using the owner DV 3. Actual results: User can't read PVC upload progress using owner DV Expected results: User can read PVC upload progress using owner DV Additional info:
Upstream PR: https://github.com/kubevirt/ssp-operator/pull/83
QE Manual Test =============================================================== Environment: $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.7.0-fc.4 True False 17h Cluster version is 4.7.0-fc.4 $ oc get csv -n openshift-cnv NAME DISPLAY VERSION REPLACES PHASE kubevirt-hyperconverged-operator.v2.6.0 OpenShift Virtualization 2.6.0 kubevirt-hyperconverged-operator.v2.5.3 Succeeded $ oc get deploy -n openshift-cnv ssp-operator -owide NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR ssp-operator 1/1 1 1 16h manager registry.redhat.io/container-native-virtualization/kubevirt-ssp-operator@sha256:87b0e51e4a584b61a149f8825b917ebf61a7c201048cbff891887aef0feeab7d control-plane=ssp-operator SSP Version: kubevirt-ssp-operator-container-v2.6.0-37 =============================================================== Setup test-user https://docs.openshift.com/container-platform/4.6/authentication/identity_providers/configuring-htpasswd-identity-provider.html $ htpasswd -c -B -b users.htpasswd test-user test-password $ oc -n openshift-config delete secret htpass-secret $ oc create secret generic htpass-secret --from-file=htpasswd=users.htpasswd --dry-run=client -o yaml -n openshift-config | oc create -f - $ cat << "EOF" > test-oauth.yaml apiVersion: config.openshift.io/v1 kind: OAuth metadata: name: cluster spec: identityProviders: - name: my_htpasswd_provider mappingMethod: claim type: HTPasswd htpasswd: fileData: name: htpass-secret EOF $ oc apply -f test-oauth.yaml # Add either 'view' or 'edit' role to test-user $ oc adm policy add-cluster-role-to-user view test-user =============================================================== 1. As an admin user start uploading a PVC into the "golden image" namespace using a DV https://github.com/kubevirt/containerized-data-importer/blob/master/doc/datavolumes.md $ oc project openshift-virtualization-os-images $ cat << "EOF" > dv-test.yaml apiVersion: cdi.kubevirt.io/v1beta1 kind: DataVolume metadata: name: test-dv spec: source: http: url: "https://download-ib01.fedoraproject.org/pub/fedora/linux/releases/33/Cloud/x86_64/images/Fedora-Cloud-Base-33-1.2.x86_64.qcow2" pvc: volumeMode: Block storageClassName: "ocs-storagecluster-ceph-rbd" accessModes: - ReadWriteMany resources: requests: storage: "5Gi" EOF $ oc apply -f dv-test.yaml $ oc get dv -w test-dv ImportScheduled N/A 9s test-dv ImportInProgress N/A 14s test-dv ImportInProgress 0.00% 15s =============================================================== 2. As a regular user try to get the upload status of the PVC using the owner DV Expected results: User can read PVC upload progress using owner DV Switch back to default project $ oc project default $ oc login -u test-user Logged into "..." as "test-user" using existing credentials. Using project "default". $ oc get dv -n openshift-virtualization-os-images -w NAME PHASE PROGRESS RESTARTS AGE test-dv ImportInProgress 14.12% 45s ... Results: User can read PVC upload progress using owner DV
Update, had used ClusterRole in this test: https://bugzilla.redhat.com/show_bug.cgi?id=1913717#c2 Additional tests: =============================================================== Role $ oc adm policy remove-cluster-role-from-user view test-user clusterrole.rbac.authorization.k8s.io/view removed: "test-user" $ oc adm policy remove-cluster-role-from-user edit test-user error: unable to locate any ClusterRoleBinding for ClusterRole "edit" $ oc adm policy add-role-to-user view test-user $ oc login -u test-user Logged into "..." as "test-user" using existing credentials. You have access to the following projects and can switch between them with 'oc project <projectname>': * default openshift-virtualization-os-images Using project "default". $ oc get dv -n openshift-virtualization-os-images -w NAME PHASE PROGRESS RESTARTS AGE test-dv ImportInProgress 89.22% 3m1s =============================================================== No Roles $ oc adm policy remove-role-from-user view test-user clusterrole.rbac.authorization.k8s.io/view removed: "test-user" $ oc login -u test-user Logged into "..." as "test-user" using existing credentials. You have one project on this server: "openshift-virtualization-os-images" Using project "openshift-virtualization-os-images". $ oc get dv -n openshift-virtualization-os-images -w NAME PHASE PROGRESS RESTARTS AGE test-dv Succeeded 100.0% 11m
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Virtualization 2.6.0 security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:0799