Bug 2076553
| Summary: | Project access view replace group ref with user ref when updating their Role | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Christoph Jerolimov <cjerolim> | |
| Component: | Dev Console | Assignee: | Debsmita Santra <dsantra> | |
| Status: | CLOSED ERRATA | QA Contact: | spathak <spathak> | |
| Severity: | high | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 4.10 | CC: | aos-bugs, dsantra, nmukherj, viraj | |
| Target Milestone: | --- | |||
| Target Release: | 4.11.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | No Doc Update | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2089315 (view as bug list) | Environment: | ||
| Last Closed: | 2022-08-10 11:07:40 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2089315 | |||
Verified on 4.11.0-0.nightly-2022-05-20-213928 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069 |
Description of problem: RoleBinding can give users or groups access to a specific role in a namespace. The project access tab currently doesn't allow the (frontend) user to define the resource type of a user or group reference. All new fields are automatically saved as User references. When entering 'a-username' and select 'View' it automatically creates a RoleBinding like this: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: a-username-view-<generated-id> subjects: - kind: User apiGroup: rbac.authorization.k8s.io name: a-username roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: view It currently shows existing users and groups RoleBindings. If the user doesn't touch a group reference it will not be updated/destroyed. But when changing a group RoleBinding role (from View to Edit for example), it removes the old RoleBinding and creates a new one for an user (with the correct name but the wrong kind). Version-Release number of selected component (if applicable): 4.10 (tested only on 4.11 master, but it might exist also on older versions then 4.10) How reproducible: Always Steps to Reproduce: 1. Create a Group and RoleBinding for the current namespace: apiVersion: user.openshift.io/v1 kind: Group metadata: name: a-group users: - user1 - user2 --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: generateName: a-group-binding subjects: - kind: Group apiGroup: rbac.authorization.k8s.io name: a-group roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: view 2. Open the current Project > Project access tab 3. Change the role from the group "a-group" from View to Edit 4. Search for the newly created RoleBinding "a-group-edit...." for "a-group" Actual results: The RoleBinding refers to a user instead of a group now. Everything looks like before and the user can not see/expect that the kind was changed. Expected results: The subject kind should not be changed when updating just the role. Additional info: Initial slack thread https://coreos.slack.com/archives/C6A3NV5J9/p1646894320606469 This is a follow-up ticket on https://issues.redhat.com/browse/OHSS-10651 and https://bugzilla.redhat.com/show_bug.cgi?id=2066897 See also https://kubernetes.io/docs/reference/access-authn-authz/rbac/