Bug 2060978 - Facing issues while binding role to Group
Summary: Facing issues while binding role to Group
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Dev Console
Version: 4.8
Hardware: All
OS: All
medium
medium
Target Milestone: ---
: 4.12.z
Assignee: Debsmita Santra
QA Contact: Xiyun Zhao
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-03-04 19:14 UTC by siva kanakala
Modified: 2023-02-28 12:00 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-02-28 12:00:24 UTC
Target Upstream Version:
Embargoed:
jakumar: needinfo-

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift console pull 12418 0 None open OCPBUGS-266: add subject kind dropdown in the project access form 2023-01-06 18:05:01 UTC
Red Hat Product Errata RHSA-2023:0890 0 None None None 2023-02-28 12:00:25 UTC

Description siva kanakala 2022-03-04 19:14:17 UTC 
Description of problem:
I created a custom role and added it to the membership whitelist:  I am facing issues while I bind the role(admin, view, edit, and custom-role)) to Group from UI but no issues when binding the role to individual users.
When I bind the role to the group, I have to change the subject-kind manually(USER->GROUP).

Version-Release number of selected component (if applicable):
4.8

How reproducible:

Every time

Steps to Reproduce:
 
$ oc describe console.operator.openshift.io cluster
-
-
-
  customization:
    projectAccess:
      availableClusterRoles:
      - admin
      - edit
      - view
      - smcprole


Followed this article to add custom roles : https://access.redhat.com/solutions/5388681
Fri Mar 04 02:54:51 skanakal  ☻ :sunny:  oc get console.operator.openshift.io cluster -o json | jq -r '.spec[]'
{
  "projectAccess": {
    "availableClusterRoles": [
      "admin",
      "edit",
      "view",
      "smcprole"
    ]
  }
}
Normal
Managed
Normal
  Fri Mar 04 02:55:27 skanakal  ☻ :sunny:
  Fri Mar 04 02:51:00 skanakal  ☻ :sunny:  oc get groups
NAME    USERS
funny   user1, user2
  Fri Mar 04 02:51:19 skanakal  ☻ :sunny:
  Added Project Access from the UI (Name:Group Name and Role: smcprole)
  Fri Mar 04 02:51:20 skanakal  ☻ :sunny:  oc get rolebinding funny-smcprole-a84965c8658a7fa0 -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: "2022-03-03T21:20:07Z"
  name: funny-smcprole-a84965c8658a7fa0
  namespace: bunny
  resourceVersion: "914228"
  uid: 04d0e2e3-a2d0-48d5-9c4f-ef20f5286e91
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: smcprole
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User                       <<<<<<<<<----------------
  name: funny
  Fri Mar 04 02:51:31 skanakal  ☻ :sunny:
  Fri Mar 04 02:51:32 skanakal  ☻ :sunny:
  Fri Mar 04 02:51:32 skanakal  ☻ :sunny:  oc delete rolebinding funny-smcprole-a84965c8658a7fa0
rolebinding.rbac.authorization.k8s.io "funny-smcprole-a84965c8658a7fa0" deleted
  Fri Mar 04 02:51:44 skanakal  ☻ :sunny:
  Fri Mar 04 02:51:45 skanakal  ☻ :sunny:  oc get rolebinding
NAME                    ROLE                               AGE
admin                   ClusterRole/admin                  7m5s
system:deployers        ClusterRole/system:deployer        7m5s
system:image-builders   ClusterRole/system:image-builder   7m5s
system:image-pullers    ClusterRole/system:image-puller    7m5s
  Fri Mar 04 02:52:28 skanakal  ☻ :sunny:
  Fri Mar 04 02:52:29 skanakal  ☻ :sunny:
  Add this from CLI
  Fri Mar 04 02:52:29 skanakal  ☻ :sunny:  oc adm policy add-role-to-group smcprole funny -n bunny
clusterrole.rbac.authorization.k8s.io/smcprole added: "funny"
  Fri Mar 04 02:52:39 skanakal  ☻ :sunny:
  Fri Mar 04 02:52:40 skanakal  ☻ :sunny:  oc get rolebinding
NAME                    ROLE                               AGE
admin                   ClusterRole/admin                  7m19s
smcprole                ClusterRole/smcprole               3s
system:deployers        ClusterRole/system:deployer        7m19s
system:image-builders   ClusterRole/system:image-builder   7m19s
system:image-pullers    ClusterRole/system:image-puller    7m19s
  Fri Mar 04 02:52:43 skanakal  ☻ :sunny:
  Fri Mar 04 02:52:43 skanakal  ☻ :sunny:
  Fri Mar 04 02:52:43 skanakal  ☻ :sunny:  oc get rolebinding smcprole -o yaml -n bunny
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: "2022-03-03T21:22:39Z"
  name: smcprole
  namespace: bunny
  resourceVersion: "915096"
  uid: e1aa4fea-a62f-4cba-8fbb-0faee44233a7
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: smcprole
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group                    <<<<<<<<--------------
  name: funny
  Fri Mar 04 02:53:20 skanakal  ☻ 


Actual results:
It requires manual intervention to change the subject kind from "User to Group"

Expected results:
It should be updated just as CLI 

Additional info:
Comment 3 Serena 2022-03-08 15:39:30 UTC 
This is a Dev Console issue - going to assign to @jakumar
Comment 5 Debsmita Santra 2022-03-18 08:20:08 UTC 
Yes, we have never supported groups before
I also verified on the 4.7 cluster, the subject kind needs to be updated to Group manually

@skanakal In which version the customer said it used to work? If you can share it I'll be able to verify from my end
Comment 8 Xiyun Zhao 2023-02-27 08:35:26 UTC 
This bug has been verified on payload 4.12.5 with local build
Verification Step:
1. Create a clusterrole "smcprole", and update spec.customization.projectAccess.availableClusterRoles into the resource Console(operator.openshift.io/v1) "cluster"
   $ oc get clusterrole smcprole
   NAME       CREATED AT
   smcprole   2023-02-27T02:41:21Z
   $ oc get console.operator.openshift.io cluster -o json | jq -r '.spec[]'
     {
       "projectAccess": {
         "availableClusterRoles": [
           "admin",
           "edit",
           "view",
          "smcprole"
         ]
       }
     }
   $ oc describe console.operator.openshift.io cluster
     ...
     Spec:
       Customization:
         Project Access:
          Available Cluster Roles:
             admin
             edit
             view
             smcprole
      Log Level:           Normal
      Management State:    Managed
      Operator Log Level:  Normal
2. Create Groups with 2 users via the console
   $ oc get groups
     NAME    USERS
     funny   testuser-0, testuser-1
3. Change to Developer perspective and go to Project -> Project access Tab
4. Check new dropdown list "Subject" and "Role" are added to help user to differentiate between user, group, and service account
5. Check if the role is binding to the group successfully

Result:
4. Now the user could use the dropdown list to set rolebinding on Project Access Tab page from developer's perspective
   And the role binding's information could be updated to Group successfully, user could check the binding information
   And the subjects on RoleBinding details are shown "group"

Note:
The backport PR for 4.12 is https://github.com/openshift/console/pull/12586, the link ID should be updated
Comment 10 errata-xmlrpc 2023-02-28 12:00:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.12.5 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:0890
Note You need to log in before you can comment on or make changes to this bug.