Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-30034

Extra mappings in AuthenticationCR breaks Search

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • Search
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • None

      Description of problem:

      When direct authentication for external oidc is set up - and it uses extra mappings, search api breaks

      Version-Release number of selected component (if applicable):

      ACM 2.16

      How reproducible:

      Depends on configuration/mapping of OIDC elements to the cluster. This is what we have on the QE test cluster (which is based on how OCP Tests this). This is seen in specs of Authentication CR as shown here:
       
      apiVersion: config.openshift.io/v1
      kind: ClusterVersion
      name: version
      spec:
        oidcProviders:
        - claimMappings:
             extra:
              - key: extratest.openshift.com/foo
                valueExpression: claims.email
             - key: extratest.openshift.com/bar
              valueExpression: '"extra-test-mark"'
      ....
      Steps to reproduce:

      1. Make sure that Authentication CR has those mappings
      2. Try to use search.
      3. It will never return data and search API server pod log will have the error

      Actual results:

      None
      search API server pod log will have the error -

      E0129 07:15:38.270923 1 userData.go:336] Error creating SelfSubjectRulesReviews for namespaceuserextras.authentication.k8s.io "keycloak-testuser-1@example.com" is forbidden: User "system:serviceaccount:ocm:search-serviceaccount" cannot impersonate resource "userextras/extratest.openshift.com/foo" in API group "authentication.k8s.io" at the cluster scopeacmqe-foundation-auto-l6k24h-broker E0129 07:15:39.046536 1 userData.go:336] Error creating SelfSubjectRulesReviews for namespaceuserextras.authentication.k8s.io "extra-test-mark" is forbidden: User "system:serviceaccount:ocm:search-serviceaccount" cannot impersonate resource "userextras/extratest.openshift.com/bar" in API group "authentication.k8s.io" at the cluster scopelocal-cluster-broker E0129 07:15:42.573170 1 userData.go:336] Error creating SelfSubjectRulesReviews for namespaceuserextras.authentication.k8s.io "extra-test-mark" is forbidden: User "system:serviceaccount:ocm:search-serviceaccount" cannot impersonate resource "userextras/extratest.openshift.com/bar" in API group "authentication.k8s.io" at the cluster scopeopen-cluster-management-agent-addon-new

      Expected results:

      We need to show the data without error!

      Additional info:

        1. search-api-86567dff5f-b22fz-search-api.log
          37.22 MB

              jpadilla@redhat.com Jorge Padilla
              jbanerje@redhat.com Joydeep Banerjee
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: