Bug 2006364 - IBM Cloud: Set resourceGroupId for resourceGroups, not simply resource
Summary: IBM Cloud: Set resourceGroupId for resourceGroups, not simply resource
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cloud Credential Operator
Version: 4.10
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.10.0
Assignee: Nobody
QA Contact: wang lin
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-09-21 14:29 UTC by Christopher J Schaefer
Modified: 2022-03-10 16:13 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-03-10 16:12:32 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cloud-credential-operator pull 385 0 None open Bug 2006364: fix(ibmcloud): Set policy attribute name properly for RG access 2021-09-21 14:32:50 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:13:04 UTC

Description Christopher J Schaefer 2021-09-21 14:29:22 UTC
Description of problem:

The CCO currently will generate specific resourceGroup access, via policies, for IBM Cloud. However, the attributes incorrectly map the resourceGroupId to a generic resource, when it should be mapped to a resourceGroupId
This does not properly grant access to the resourceGroup as expected.

Version-Release number of selected component (if applicable):
4.10

How reproducible:

Consistently using minimal IAM permissions (some components use broad IAM permissions yet, but we are planning to change to minimal permissions).

Steps to Reproduce:

Generate the Secrets from CredentialsRequests. In this case, a set of minimum IAM permissions was targeted for testing,
https://github.com/openshift/cluster-image-registry-operator/pull/716

`$ ccoctl ibmcloud create-shared-secrets --credentials-requests-dir=... --output-dir=...`


Actual results:

```
{
  "attributes":[
    {
      "name":"accountId",
      "value":"my-account-id",
    },
    {
      "name":"resourceType",
      "value":"resource-group",
    },
    {
      "name":"resourceGroupId",
      "value":"my-resource-group-id"
    }
  ],
}
```

Expected results:

```
{
  "attributes":[
    {
      "name":"accountId",
      "value":"my-account-id",
    },
    {
      "name":"resourceType",
      "value":"resource-group",
    },
    {
      "name":"resource",
      "value":"my-resource-group-id"
    }
  ],
}
```

Additional info:

IBM Cloud has produced a PR to address this issue
https://github.com/openshift/cloud-credential-operator/pull/385

Comment 5 wang lin 2021-09-22 10:20:12 UTC
Hi Manjunath,

I am a newer for ibm cloud, when i run the command `$ ccoctl ibmcloud create-shared-secrets --credentials-requests-dir=... --output-dir=... --resource-group-name=ccotest-rg`

the output is like below, i can't find an attribute with name resourceType and value resource-group. could you show me more info how to reproduce or verify this issue?
###
{
      "attributes": [
        {
          "name": "serviceName",
          "value": "power-iaas",
          "operator": "stringEquals"
        },
        {
          "name": "resourceGroupId",
          "value": "7e8025a578aa4a0a90XXXXXXXX",
          "operator": "stringEquals"
        },
        {
          "name": "accountId",
          "value": "fdc2e14cf8bc4d53XXXXXXXX",
          "operator": "stringEquals"
        }
      ]
    }
###

Comment 6 mkumatag 2021-09-22 11:09:53 UTC
As mentioned here https://github.com/openshift/cloud-credential-operator/pull/385#pullrequestreview-759283773, this issue happens only of for the attribute type - resource-group, you can use the following CR to test this:

```
apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
  name: cred1
  namespace: openshift-cloud-credential-operator
spec:
  providerSpec:
    apiVersion: cloudcredential.openshift.io/v1
    kind: IBMCloudProviderSpec
    policies:
      - roles:
          - "crn:v1:bluemix:public:iam::::serviceRole:Manager"
          - "crn:v1:bluemix:public:iam::::role:Editor"
          - "crn:v1:bluemix:public:iam::::role:Viewer"
        attributes:
          - name: "serviceName"
            value: "is"
      - roles:
          - "crn:v1:bluemix:public:iam::::role:Viewer"
          - "crn:v1:bluemix:public:iam::::role:Operator"
        attributes:
          - name: "resourceType"
            value: "resource-group"
  secretRef:
    namespace: openshift-machine-api
    name: ibm-cred-4
```

Note: contains the `resource-group` in the second policy.

Comment 7 wang lin 2021-09-22 11:50:09 UTC
Thanks Manjunath.

Verified on registry.ci.openshift.org/ocp/release:4.10.0-0.ci-2021-09-22-030936 with this fix , the output is as expected.
{
      "attributes": [
        {
          "name": "resourceType",
          "value": "resource-group",
          "operator": "stringEquals"
        },
        {
          "name": "resource",
          "value": "7e8025a578aa4a0a9XXXXXX",
          "operator": "stringEquals"
        },
        {
          "name": "accountId",
          "value": "fdc2e14cf8bc4d53aXXXXXX",
          "operator": "stringEquals"
        }
      ]
    }


using image without this fix:registry.ci.openshift.org/ocp/release:4.10.0-0.ci-2021-09-19-144306, it will show the below
{
      "attributes": [
        {
          "name": "resourceType",
          "value": "resource-group",
          "operator": "stringEquals"
        },
        {
          "name": "resourceGroupId",
          "value": "7e8025a578aa4a0XXXXXXXXXX",
          "operator": "stringEquals"
        },
        {
          "name": "accountId",
          "value": "fdc2e14cf8bc4dXXXXXXXXXX",
          "operator": "stringEquals"
        }
      ]
    }

Comment 11 errata-xmlrpc 2022-03-10 16:12:32 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056


Note You need to log in before you can comment on or make changes to this bug.