Uploaded image for project: 'KIE Cloud'
  1. KIE Cloud
  2. KIECLOUD-312

Console UI denies access to project-admin

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Minor Minor
    • 7.5.1.GA
    • 7.4.1.GA
    • Operator
    • None

      Oauth-proxy current container settings -

      spec:   containers:   - args:     - --http-address=
    - --https-address=:8443
    - --upstream=http://localhost:8080
    - --provider=openshift
    - --openshift-sar={"name":"console-cr-form","namespace":"test3","resource":"kieapps","verb":"create"}
    - --openshift-service-account=console-cr-form
    - --tls-cert=/etc/tls/private/tls.crt
    - --tls-key=/etc/tls/private/tls.key
    - --cookie-secret=SECRET
    image: registry.access.redhat.com/openshift3/oauth-proxy
    imagePullPolicy: Always
    name: oauth-proxy
    ports:     - containerPort: 8443
      name: public
      protocol: TCP
    resources: {}
    securityContext:       capabilities:         drop:         - KILL
        - MKNOD
        - SETGID
        - SETUID
      runAsUser: 1000620000
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:     - mountPath: /etc/tls/private
      name: proxy-tls
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: console-cr-form-token-6zxm5
      readOnly: true

      container throws these errors upon project-admin (not cluster-admin) attempted login -

      $ oc logs console-cr-form -c oauth-proxy
2019/08/29 19:00:03 provider.go:106: Defaulting client-id to system:serviceaccount:test3:console-cr-form
2019/08/29 19:00:03 provider.go:111: Defaulting client-secret to service account token /var/run/secrets/kubernetes.io/serviceaccount/token
2019/08/29 19:00:03 oauthproxy.go:201: mapping path "/" => upstream "http://localhost:8080/"
2019/08/29 19:00:03 oauthproxy.go:228: OAuthProxy configured for  Client ID: system:serviceaccount:test3:console-cr-form
2019/08/29 19:00:03 oauthproxy.go:238: Cookie settings: name:_oauth_proxy secure(https):true httponly:true expiry:168h0m0s domain:<default> refresh:disabled
2019/08/29 19:00:03 http.go:96: HTTPS: listening on [::]:8443
2019/08/29 19:00:14 provider.go:553: Performing OAuth discovery against https://172.30.0.1/.well-known/oauth-authorization-server
2019/08/29 19:00:14 provider.go:593: 200 GET https://172.30.0.1/.well-known/oauth-authorization-server {
  "issuer": "https://oauth-openshift.apps.mmikhail-mwocp42.devcluster.openshift.com",
  "authorization_endpoint": "https://oauth-openshift.apps.mmikhail-mwocp42.devcluster.openshift.com/oauth/authorize",
  "token_endpoint": "https://oauth-openshift.apps.mmikhail-mwocp42.devcluster.openshift.com/oauth/token",
  "scopes_supported": [
    "user:check-access",
    "user:full",
    "user:info",
    "user:list-projects",
    "user:list-scoped-projects"
  ],
  "response_types_supported": [
    "code",
    "token"
  ],
  "grant_types_supported": [
    "authorization_code",
    "implicit"
  ],
  "code_challenge_methods_supported": [
    "plain",
    "S256"
  ]
}
2019/08/29 19:00:23 provider.go:553: Performing OAuth discovery against https://172.30.0.1/.well-known/oauth-authorization-server
2019/08/29 19:00:23 provider.go:593: 200 GET https://172.30.0.1/.well-known/oauth-authorization-server {
  "issuer": "https://oauth-openshift.apps.mmikhail-mwocp42.devcluster.openshift.com",
  "authorization_endpoint": "https://oauth-openshift.apps.mmikhail-mwocp42.devcluster.openshift.com/oauth/authorize",
  "token_endpoint": "https://oauth-openshift.apps.mmikhail-mwocp42.devcluster.openshift.com/oauth/token",
  "scopes_supported": [
    "user:check-access",
    "user:full",
    "user:info",
    "user:list-projects",
    "user:list-scoped-projects"
  ],
  "response_types_supported": [
    "code",
    "token"
  ],
  "grant_types_supported": [
    "authorization_code",
    "implicit"
  ],
  "code_challenge_methods_supported": [
    "plain",
    "S256"
  ]
}
2019/08/29 19:00:24 provider.go:593: 200 GET https://172.30.0.1/apis/user.openshift.io/v1/users/~ {"kind":"User","apiVersion":"user.openshift.io/v1","metadata":{"name":"test1","selfLink":"/apis/user.openshift.io/v1/users/test1","uid":"1408444a-ca8e-11e9-a041-0a580a810018","resourceVersion":"657990","creationTimestamp":"2019-08-29T18:51:58Z"},"identities":["htpasswd:test1"],"groups":["system:authenticated","system:authenticated:oauth"]}
2019/08/29 19:00:24 provider.go:593: 201 POST https://172.30.0.1/apis/authorization.openshift.io/v1/subjectaccessreviews {"kind":"SubjectAccessReviewResponse","apiVersion":"authorization.openshift.io/v1","namespace":"test3","allowed":false}
2019/08/29 19:00:24 provider.go:444: Permission denied for test1@cluster.local for check {"name":"console-cr-form","namespace":"test3","resource":"kieapps","scopes":[],"verb":"create"}
2019/08/29 19:00:24 oauthproxy.go:642: 10.128.2.6:38306 Permission Denied: user is unauthorized when redeeming token
2019/08/29 19:00:24 oauthproxy.go:439: ErrorPage 403 Permission Denied Invalid Account

              tohughes Tommy Hughes
              tohughes Tommy Hughes
              Karel Suta Karel Suta
              Karel Suta Karel Suta
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: