-
Bug
-
Resolution: Unresolved
-
Critical
-
None
The issue described in the bug #2005853 is also applicable for mcg.
+++ This bug was initially created as a clone of Bug #2005853 +++
Description of problem (please be detailed as possible and provide log
snippests):
Rook-ceph operator uses wildcard in RBAC definitions which can cause providing excessive unnecessary permissions
Version of all relevant components (if applicable):
rook v1.6.0-alpha
Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?
Instead of using wild card characters in RBAC definition it is best practice to explicitly list out each verb or resources.
One such case is with the rook-ceph-mgr role
—
- apiGroups:
- ceph.rook.io
resources: - "*"
verbs: - "*"
—
Is there any workaround available to the best of your knowledge?
Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?
Can this issue reproducible?
N.A
Can this issue reproduce from the UI?
N.A
If this is a regression, please provide more details to justify this:
N.A
Steps to Reproduce:
N.A
Actual results:
Permissions are not listed out correctly in some Roles and Cluster Roles
Expected results:
Permissions should be listed out correctly in all Roles and Cluster Roles without the use of any wildcard character.
Additional info:
A list of places where wildcards are used is listed in this document.
https://docs.google.com/document/d/1IUAybMCptFGqmhHWVffXW84U3NQFIRwfmV2UqUWHwFc/edit#bookmark=id.xmae8rhc8pb3
— Additional comment from RHEL Program Management on 2021-09-20 10:57:38 UTC —
This bug having no release flag set previously, is now set with release flag 'ocs‑4.9.0' to '?', and so is being proposed to be fixed at the OCS 4.9.0 release. If this bug should be proposed for a different release, please manually remove the current proposed release flag and set a new one.
Note that the 3 Acks (pm_ack, devel_ack, qa_ack), if any previously set while release flag was missing, have now been reset since the Acks are to be set against a release flag
— Additional comment from Travis Nielsen on 2021-09-20 15:31:28 UTC —
Moving to 4.10 to have more bake time for restricting the access to make sure nothing is broken.
— Additional comment from Blaine Gardner on 2021-09-21 22:08:03 UTC —
Begin work on this in Rook starting with the OBC controller permissions: https://github.com/rook/rook/pull/8781
— Additional comment from Travis Nielsen on 2021-12-06 16:09:39 UTC —
Changing back to assigned until the final PR is up.
— Additional comment from Travis Nielsen on 2022-01-10 16:22:40 UTC —
Moving to POST given the latest PR.
— Additional comment from Blaine Gardner on 2022-01-11 18:44:45 UTC —
Merged into 4.10 codebase here: https://github.com/red-hat-storage/rook/pull/326
— Additional comment from Neha Berry on 2022-01-19 07:03:48 UTC —
Hi Blaine, kaustav
Could you please provide the steps to verify this BZ
— Additional comment from RHEL Program Management on 2022-01-19 07:04:42 UTC —
This BZ is being approved for ODF 4.10.0 release, upon receipt of the 3 ACKs (PM,Devel,QA) for the release flag 'odf‑4.10.0
— Additional comment from RHEL Program Management on 2022-01-19 07:04:42 UTC —
Since this bug has been approved for ODF 4.10.0 release, through release flag 'odf-4.10.0+', the Target Release is being set to 'ODF 4.10.0
— Additional comment from Kaustav Majumder on 2022-01-20 07:31:41 UTC —
Hi Neha, you can check all the RBAC permissions(ClusterRole, ClusterRoleBinding) for rook-ceph operator, none of the permissions should have wildcard characters 
.
— Additional comment from Jilju Joy on 2022-02-08 08:58:41 UTC —
Wildcards are still being used as listed below.
Roles
$ for role in `oc get roles --no-headers| awk '
{ print $1 }'`; do echo $role ;oc get roles $role -o yaml | grep "'*'" -B 10;echo "=====================================";donemcg-operator.v4.10.0
=====================================
mcg-operator.v4.10.0-noobaa-65854c8758
controller: false
kind: ClusterServiceVersion
name: mcg-operator.v4.10.0
uid: 88cd135d-a77a-4b77-a409-7eef4f94f58f
resourceVersion: "30752"
uid: 69ab1e00-b7c1-47e9-b250-491b7e50805d
rules:
- apiGroups:
- noobaa.io
resources:
- '*'
- noobaas
- backingstores
- bucketclasses
- noobaas/finalizers
- backingstores/finalizers
- bucketclasses/finalizers
verbs:
- '*'
–
resources:
- pods
- services
- endpoints
- persistentvolumeclaims
- events
- configmaps
- secrets
- serviceaccounts
verbs:
- '*'
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- '*'
=====================================
mcg-operator.v4.10.0-noobaa-endpoint-6dc55679b7
controller: false
kind: ClusterServiceVersion
name: mcg-operator.v4.10.0
uid: 88cd135d-a77a-4b77-a409-7eef4f94f58f
resourceVersion: "30753"
uid: e39ffc00-c6ca-4cdd-bd5f-daf5d5dadf72
rules:
- apiGroups:
- noobaa.io
resources:
- '*'
- noobaas
- backingstores
- bucketclasses
- noobaas/finalizers
- backingstores/finalizers
- bucketclasses/finalizers
verbs:
- '*'
–
resources:
- pods
- services
- endpoints
- persistentvolumeclaims
- events
- configmaps
- secrets
- serviceaccounts
verbs:
- '*'
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- '*'
=====================================
mcg-operator.v4.10.0-noobaa-odf-ui-dc8bf97cd
=====================================
noobaa-operator-service-cert
=====================================
ocs-metrics-svc
=====================================
ocs-operator.v4.10.0
=====================================
ocs-operator.v4.10.0-rook-ceph-cmd-reporter-8494497b64
=====================================
ocs-operator.v4.10.0-rook-ceph-mgr-d684bc4fc
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- ceph.rook.io
resources:
- '*'
verbs:
- '*'
=====================================
ocs-operator.v4.10.0-rook-ceph-osd-76c6bf86b6
=====================================
ocs-operator.v4.10.0-rook-ceph-purge-osd-5d76567549
=====================================
ocs-operator.v4.10.0-rook-ceph-system-79c7994dd5
=====================================
ocs-operator.v4.10.0-rook-csi-cephfs-provisioner-sa-65f796f4b
=====================================
ocs-operator.v4.10.0-rook-csi-rbd-plugin-sa-54f6bd475c
=====================================
ocs-operator.v4.10.0-rook-csi-rbd-provisioner-sa-745c57c58
=====================================
ocs-provider-server
=====================================
odf-csi-addons-operator.v4.10.0
=====================================
odf-csi-addons-operator.v4.10.0-csi-addons-controlle-7d5d4f6957
=====================================
odf-operator-controller-manager-metrics-service
=====================================
odf-operator.v4.10.0
=====================================
odf-operator.v4.10.0-odf-operator-controller-manager-dfd466db6
=====================================
rook-ceph-metrics
=====================================
rook-ceph-monitor
metadata:
creationTimestamp: "2022-02-08T06:20:34Z"
name: rook-ceph-monitor
namespace: openshift-storage
resourceVersion: "30040"
uid: c7f94f86-7cc6-474a-ac43-fe619ae61a7d
rules:
- apiGroups:
- monitoring.coreos.com
resources:
- '*'
verbs:
- '*'
=====================================
rook-ceph-monitor-mgr
=====================================
ClusterRole
$ for clusterrole in `oc get clusterrole --no-headers | grep ocs| awk '{ print $1 }
'`; do echo $clusterrole ;oc get clusterrole $clusterrole -o yaml | grep "'*'" -B 10;echo "=====================================";done
ocs-metrics-exporter
=====================================
ocs-operator.v4.10.0-547f48cd6d
=====================================
ocs-operator.v4.10.0-55c97f465d
=====================================
ocs-operator.v4.10.0-55ff7455d9
=====================================
ocs-operator.v4.10.0-5789cdc788
=====================================
ocs-operator.v4.10.0-5868f4ccf4
=====================================
ocs-operator.v4.10.0-68b78b8d4d
olm.owner.kind: ClusterServiceVersion
olm.owner.namespace: openshift-storage
operators.coreos.com/ocs-operator.openshift-storage: ""
name: ocs-operator.v4.10.0-68b78b8d4d
resourceVersion: "31148"
uid: b158f760-6e9c-491a-af5e-762725b526a8
rules:
- apiGroups:
- monitoring.coreos.com
resources: - '*'
verbs: - '*'
=====================================
ocs-operator.v4.10.0-68f7f4c64b
=====================================
ocs-operator.v4.10.0-69c94fc8dc
=====================================
ocs-operator.v4.10.0-6b645566bd - update
- watch
- apiGroups:
- apps
resources: - daemonsets
- deployments
- replicasets
- statefulsets
verbs: - '*'
- apiGroups:
- ceph.rook.io
resources: - cephblockpools
- cephclusters
- cephfilesystems
- cephobjectstores
- cephobjectstoreusers
- cephrbdmirrors
verbs: - '*'
– - networks
verbs: - get
- list
- watch
- apiGroups:
- console.openshift.io
resources: - consolequickstarts
verbs: - '*'
–
resources: - configmaps
- endpoints
- events
- nodes
- persistentvolumeclaims
- pods
- secrets
- services
verbs: - '*'
– - create
- get
- list
- update
- watch
- apiGroups:
- noobaa.io
resources: - noobaas
verbs: - '*'
- apiGroups:
- ocs.openshift.io
resources: - '*'
– - get
- list
- patch
- update
- watch
- apiGroups:
- quota.openshift.io
resources: - clusterresourcequotas
verbs: - '*'
- apiGroups:
- route.openshift.io
resources: - routes
verbs: - '*'
–
verbs: - create
- get
- update
- apiGroups:
- snapshot.storage.k8s.io
resources: - volumesnapshotclasses
- volumesnapshots
verbs: - '*'
- apiGroups:
- storage.k8s.io
resources: - storageclasses
verbs: - '*'
- get
- apiGroups:
- template.openshift.io
resources: - templates
verbs: - '*'
=====================================
ocs-operator.v4.10.0-6d558847d
=====================================
ocs-operator.v4.10.0-7567994fdf
=====================================
ocs-operator.v4.10.0-76664cc74
=====================================
ocs-operator.v4.10.0-7799d89586
=====================================
ocs-operator.v4.10.0-fc9f698b
=====================================
ocsinitializations.ocs.openshift.io-v1-admin
name: ocsinitializations.ocs.openshift.io
uid: 5e58af9c-3be4-4dcb-8acc-6a3802b0ccac
resourceVersion: "31167"
uid: 70961821-e0c2-4007-8bb1-4eecb54b27c2
rules: - apiGroups:
- ocs.openshift.io
resources: - ocsinitializations
verbs: - '*'
=====================================
ocsinitializations.ocs.openshift.io-v1-crdview
=====================================
ocsinitializations.ocs.openshift.io-v1-edit
=====================================
ocsinitializations.ocs.openshift.io-v1-view
=====================================
storageclusters.ocs.openshift.io-v1-admin
name: storageclusters.ocs.openshift.io
uid: 33d3ccb8-4e07-47fa-b704-f8d8cc22791d
resourceVersion: "31192"
uid: 1bb4d879-2e9b-453d-8020-5e78bb613d01
rules: - apiGroups:
- ocs.openshift.io
resources: - storageclusters
verbs: - '*'
=====================================
storageclusters.ocs.openshift.io-v1-crdview
=====================================
storageclusters.ocs.openshift.io-v1-edit
=====================================
storageclusters.ocs.openshift.io-v1-view
=====================================
storageconsumers.ocs.openshift.io-v1alpha1-admin
name: storageconsumers.ocs.openshift.io
uid: 3ce6969a-99cd-422f-a991-6fa999ee164b
resourceVersion: "31221"
uid: 143bf229-ab4c-49d7-8037-219f5cf5f7a1
rules: - apiGroups:
- ocs.openshift.io
resources: - storageconsumers
verbs: - '*'
=====================================
storageconsumers.ocs.openshift.io-v1alpha1-crdview
=====================================
storageconsumers.ocs.openshift.io-v1alpha1-edit
=====================================
storageconsumers.ocs.openshift.io-v1alpha1-view
=====================================
Complete yaml output example.
$ oc get roles ocs-operator.v4.10.0-rook-ceph-mgr-d684bc4fc -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: "2022-02-08T06:20:39Z"
labels:
olm.owner: ocs-operator.v4.10.0
olm.owner.kind: ClusterServiceVersion
olm.owner.namespace: openshift-storage
operators.coreos.com/ocs-operator.openshift-storage: ""
name: ocs-operator.v4.10.0-rook-ceph-mgr-d684bc4fc
namespace: openshift-storage
ownerReferences:
- apiVersion: operators.coreos.com/v1alpha1
blockOwnerDeletion: false
controller: false
kind: ClusterServiceVersion
name: ocs-operator.v4.10.0
uid: 564c351e-7fb5-47c7-84b9-aa307b07b927
resourceVersion: "31007"
uid: 1c256810-286b-479f-a102-4593c0914182
rules: - apiGroups:
- ""
resources: - pods
- services
- pods/log
verbs: - get
- list
- watch
- create
- update
- delete
- apiGroups:
- batch
resources: - jobs
verbs: - get
- list
- watch
- create
- update
- delete
- apiGroups:
- ceph.rook.io
resources: - '*'
verbs: - '*'
- apiGroups:
- apps
resources: - deployments/scale
- deployments
verbs: - patch
- delete
- apiGroups:
- ""
resources: - persistentvolumeclaims
verbs: - delete
Tested in version:
ODF 4.10.0-146
OCP 4.10.0-0.nightly-2022-02-07-162517
Tested in AWS.
Thanks Kaustav for helping in the verification of this bug.
— Additional comment from Travis Nielsen on 2022-02-08 14:25:09 UTC —
Jilju Please open separate BZs for Noobaa and OCS operator to make their corresponding changes. I see Rook still needs to update some of the wildcards, but most of the remaining belong to the other two components.
