Bug 1924480 - non cluster admin can not take VM snapshot: An error occurred, cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on
Summary: non cluster admin can not take VM snapshot: An error occurred, cannot set blo...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Console Kubevirt Plugin
Version: 4.7
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: ---
: 4.7.0
Assignee: Tomas Jelinek
QA Contact: Guohua Ouyang
URL:
Whiteboard:
: 1924922 (view as bug list)
Depends On:
Blocks: 1923987
TreeView+ depends on / blocked
 
Reported: 2021-02-03 07:13 UTC by Ying Cui
Modified: 2021-02-24 15:58 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-02-24 15:58:08 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
error_vm_snapshot_non_cluster_admin (93.38 KB, image/png)
2021-02-03 07:13 UTC, Ying Cui
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github openshift console pull 8036 0 None closed Bug 1924480: When creating Snapshoot blockOwnerDeletion is now false 2021-02-08 09:16:36 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:58:57 UTC

Description Ying Cui 2021-02-03 07:13:58 UTC
Created attachment 1754608 [details]
error_vm_snapshot_non_cluster_admin

Description of problem:
Non cluster admin user can not take VM snapshot, an error occurred.
virtualmachinesnapshots.snapshot.kubevirt.io "testsnapshot" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: , <nil>

Version-Release number of selected component (if applicable):
ocp 4.7

How reproducible:
100%

Note: cluster admin user does not have this issue. 


Steps to Reproduce:
1. non cluster admin user login: e.g tester
2. create the VM in project(e.g testing-day) the non-cluster-admin user has Admin role in this project.
3. VM is running in this project.
4. stop the VM 
5. Click the "Take Snapshot" button.

Actual results:
an error occurred.
virtualmachinesnapshots.snapshot.kubevirt.io "testsnapshot" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: , <nil>

Expected results:
user can take snapshot in the project which the user has Admin role in this project.


Additional info:
1. Note: cluster admin user does not have this issue. 

2. $ oc describe rolebinding.rbac -n testing-day
Name:         admin
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  admin
Subjects:
  Kind  Name    Namespace
  ----  ----    ---------
  User  tester  


Name:         system:deployers
Labels:       <none>
Annotations:  openshift.io/description:
                Allows deploymentconfigs in this namespace to rollout pods in this namespace.  It is auto-managed by a controller; remove subjects to disa...
Role:
  Kind:  ClusterRole
  Name:  system:deployer
Subjects:
  Kind            Name      Namespace
  ----            ----      ---------
  ServiceAccount  deployer  testing-day


Name:         system:image-builders
Labels:       <none>
Annotations:  openshift.io/description:
                Allows builds in this namespace to push images to this namespace.  It is auto-managed by a controller; remove subjects to disable.
Role:
  Kind:  ClusterRole
  Name:  system:image-builder
Subjects:
  Kind            Name     Namespace
  ----            ----     ---------
  ServiceAccount  builder  testing-day


Name:         system:image-pullers
Labels:       <none>
Annotations:  openshift.io/description:
                Allows all pods in this namespace to pull images from this namespace.  It is auto-managed by a controller; remove subjects to disable.
Role:
  Kind:  ClusterRole
  Name:  system:image-puller
Subjects:
  Kind   Name                                Namespace
  ----   ----                                ---------
  Group  system:serviceaccounts:testing-day

Comment 1 Guohua Ouyang 2021-02-03 07:29:22 UTC
Looks like a virt bug.

Comment 3 Ying Cui 2021-02-04 05:28:57 UTC
*** Bug 1924922 has been marked as a duplicate of this bug. ***

Comment 4 Guohua Ouyang 2021-02-09 08:06:01 UTC
verified on ocp-4.7.0-rc.0

Comment 7 errata-xmlrpc 2021-02-24 15:58:08 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633


Note You need to log in before you can comment on or make changes to this bug.