Bug 1913717 - Users should have read permitions for golden images data volumes
Summary: Users should have read permitions for golden images data volumes
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Container Native Virtualization (CNV)
Classification: Red Hat
Component: SSP
Version: 2.6.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 2.6.0
Assignee: Omer Yahud
QA Contact: Sarah Bennert
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-01-07 13:17 UTC by Yaacov Zamir
Modified: 2021-03-10 11:23 UTC (History)
2 users (show)

Fixed In Version: kubevirt-ssp-operator-container-v2.6.0-33
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-03-10 11:22:46 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github kubevirt ssp-operator pull 83 0 None closed [Bugfix] Give regular users permissions to view os images DataVolumes 2021-02-01 16:37:50 UTC
Red Hat Product Errata RHSA-2021:0799 0 None None None 2021-03-10 11:23:17 UTC

Description Yaacov Zamir 2021-01-07 13:17:14 UTC
Description of problem:
Common templates use PVCs from a "golden image" namespace, that are managed by DVs.
A User without permissions to DVs from "golden image" namespace can't get managed data bout PVC, for example the PVC upload status.

Version-Release number of selected component (if applicable):


How reproducible: 100%


Steps to Reproduce:
1. As an admin user start uploading a PVC into the "golden image" namespace using a DV
2. As a regular user try to get the upload status of the PVC using the owner DV
3.

Actual results:
User can't read PVC upload progress using owner DV

Expected results:
User can read PVC upload progress using owner DV

Additional info:

Comment 1 Omer Yahud 2021-01-11 19:01:18 UTC
Upstream PR: https://github.com/kubevirt/ssp-operator/pull/83

Comment 2 Sarah Bennert 2021-01-29 23:22:19 UTC
QE Manual Test

===============================================================
Environment:

$ oc get clusterversion
NAME      VERSION      AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-fc.4   True        False         17h     Cluster version is 4.7.0-fc.4

$ oc get csv -n openshift-cnv
NAME                                      DISPLAY                    VERSION   REPLACES                                  PHASE
kubevirt-hyperconverged-operator.v2.6.0   OpenShift Virtualization   2.6.0     kubevirt-hyperconverged-operator.v2.5.3   Succeeded

$ oc get deploy -n openshift-cnv ssp-operator -owide
NAME           READY   UP-TO-DATE   AVAILABLE   AGE   CONTAINERS   IMAGES                                                                                                                                             SELECTOR
ssp-operator   1/1     1            1           16h   manager      registry.redhat.io/container-native-virtualization/kubevirt-ssp-operator@sha256:87b0e51e4a584b61a149f8825b917ebf61a7c201048cbff891887aef0feeab7d   control-plane=ssp-operator

SSP Version:
kubevirt-ssp-operator-container-v2.6.0-37

===============================================================
Setup test-user
https://docs.openshift.com/container-platform/4.6/authentication/identity_providers/configuring-htpasswd-identity-provider.html

$ htpasswd -c -B -b users.htpasswd test-user test-password
$ oc -n openshift-config delete secret htpass-secret
$ oc create secret generic htpass-secret --from-file=htpasswd=users.htpasswd --dry-run=client -o yaml -n openshift-config | oc create -f -

$ cat << "EOF" > test-oauth.yaml
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - name: my_htpasswd_provider
    mappingMethod: claim
    type: HTPasswd
    htpasswd:
      fileData:
        name: htpass-secret
EOF

$ oc apply -f test-oauth.yaml

# Add either 'view' or 'edit' role to test-user
$ oc adm policy add-cluster-role-to-user view test-user


===============================================================
1. As an admin user start uploading a PVC into the "golden image" namespace using a DV
https://github.com/kubevirt/containerized-data-importer/blob/master/doc/datavolumes.md

$ oc project openshift-virtualization-os-images

$ cat << "EOF" > dv-test.yaml
apiVersion: cdi.kubevirt.io/v1beta1
kind: DataVolume
metadata:
  name: test-dv
spec:
  source:
      http:
         url: "https://download-ib01.fedoraproject.org/pub/fedora/linux/releases/33/Cloud/x86_64/images/Fedora-Cloud-Base-33-1.2.x86_64.qcow2"
  pvc:
    volumeMode: Block
    storageClassName: "ocs-storagecluster-ceph-rbd"
    accessModes:
    - ReadWriteMany
    resources:
      requests:
        storage: "5Gi"
EOF

$ oc apply -f dv-test.yaml

$ oc get dv -w
test-dv   ImportScheduled   N/A                   9s
test-dv   ImportInProgress   N/A                   14s
test-dv   ImportInProgress   0.00%                 15s

===============================================================
2. As a regular user try to get the upload status of the PVC using the owner DV
   Expected results:
   User can read PVC upload progress using owner DV

Switch back to default project
$ oc project default

$ oc login -u test-user
Logged into "..." as "test-user" using existing credentials.
Using project "default".

$ oc get dv -n openshift-virtualization-os-images -w
NAME      PHASE              PROGRESS   RESTARTS   AGE
test-dv   ImportInProgress   14.12%                45s
...

Results:
User can read PVC upload progress using owner DV

Comment 3 Sarah Bennert 2021-01-30 01:36:31 UTC
Update, had used ClusterRole in this test:
https://bugzilla.redhat.com/show_bug.cgi?id=1913717#c2

Additional tests:
===============================================================
Role

$ oc adm policy remove-cluster-role-from-user view test-user
clusterrole.rbac.authorization.k8s.io/view removed: "test-user"

$ oc adm policy remove-cluster-role-from-user edit test-user
error: unable to locate any ClusterRoleBinding for ClusterRole "edit"

$ oc adm policy add-role-to-user view test-user

$ oc login -u test-user
Logged into "..." as "test-user" using existing credentials.

You have access to the following projects and can switch between them with 'oc project <projectname>':

  * default
    openshift-virtualization-os-images

Using project "default".

$ oc get dv -n openshift-virtualization-os-images -w
NAME      PHASE              PROGRESS   RESTARTS   AGE
test-dv   ImportInProgress   89.22%                3m1s


===============================================================
No Roles

$ oc adm policy remove-role-from-user view test-user
clusterrole.rbac.authorization.k8s.io/view removed: "test-user"

$ oc login -u test-user
Logged into "..." as "test-user" using existing credentials.

You have one project on this server: "openshift-virtualization-os-images"

Using project "openshift-virtualization-os-images".

$ oc get dv -n openshift-virtualization-os-images -w
NAME      PHASE       PROGRESS   RESTARTS   AGE
test-dv   Succeeded   100.0%                11m

Comment 6 errata-xmlrpc 2021-03-10 11:22:46 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Virtualization 2.6.0 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:0799


Note You need to log in before you can comment on or make changes to this bug.