Bug 2076553 - Project access view replace group ref with user ref when updating their Role
Summary: Project access view replace group ref with user ref when updating their Role
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Dev Console
Version: 4.10
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.11.0
Assignee: Debsmita Santra
QA Contact: spathak@redhat.com
Depends On:
Blocks: 2089315
TreeView+ depends on / blocked
Reported: 2022-04-19 10:53 UTC by Christoph Jerolimov
Modified: 2022-08-10 11:08 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 2089315 (view as bug list)
Last Closed: 2022-08-10 11:07:40 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift console pull 11292 0 None open [WIP] fix rolebinding in DevConsole dropping all subjects when updating 2022-05-04 18:48:13 UTC
Red Hat Product Errata RHSA-2022:5069 0 None None None 2022-08-10 11:08:02 UTC

Description Christoph Jerolimov 2022-04-19 10:53:02 UTC
Description of problem:
RoleBinding can give users or groups access to a specific role in a namespace.

The project access tab currently doesn't allow the (frontend) user to define the resource type of a user or group reference. All new fields are automatically saved as User references. When entering 'a-username' and select 'View' it automatically creates a RoleBinding like this:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
  name: a-username-view-<generated-id>
  - kind: User
    apiGroup: rbac.authorization.k8s.io
    name: a-username
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view

It currently shows existing users and groups RoleBindings.
If the user doesn't touch a group reference it will not be updated/destroyed.
But when changing a group RoleBinding role (from View to Edit for example), it removes the old RoleBinding and creates a new one for an user (with the correct name but the wrong kind).

Version-Release number of selected component (if applicable):
4.10 (tested only on 4.11 master, but it might exist also on older versions then 4.10)

How reproducible:

Steps to Reproduce:
1. Create a Group and RoleBinding for the current namespace:

apiVersion: user.openshift.io/v1
kind: Group
  name: a-group
  - user1
  - user2
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
  generateName: a-group-binding
  - kind: Group
    apiGroup: rbac.authorization.k8s.io
    name: a-group
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view

2. Open the current Project > Project access tab
3. Change the role from the group "a-group" from View to Edit
4. Search for the newly created RoleBinding "a-group-edit...." for "a-group"

Actual results:
The RoleBinding refers to a user instead of a group now.

Everything looks like before and the user can not see/expect that the kind was changed.

Expected results:
The subject kind should not be changed when updating just the role.

Additional info:
Initial slack thread https://coreos.slack.com/archives/C6A3NV5J9/p1646894320606469

This is a follow-up ticket on https://issues.redhat.com/browse/OHSS-10651 and https://bugzilla.redhat.com/show_bug.cgi?id=2066897

See also https://kubernetes.io/docs/reference/access-authn-authz/rbac/

Comment 3 Christoph Jerolimov 2022-05-23 08:56:08 UTC
Verified on 4.11.0-0.nightly-2022-05-20-213928

Comment 5 errata-xmlrpc 2022-08-10 11:07:40 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.