Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-17051

Role created with field resourceNames does not allow to view specific resources

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Undefined Undefined
    • None
    • 4.12
    • apiserver-auth
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Moderate
    • No
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      Role created with field resourceNames does not allow to view specific resources.

      Version-Release number of selected component (if applicable):

      4.12

      How reproducible:

      100%

      Steps to Reproduce:

      1. Create a new-project(oc new-project test), then create 2 new-apps(oc new-app httpd and oc new-app httpd --name=apache)
2. Create a role with below rule to provide edit access to pods and deployment.
~~~
kind: Role
metadata:
  name: role-test
  namespace: test-secret
rules:
- apiGroups:
  - ""
  resources:
  - pods/exec
  - pods
  - pods/log
  - pods/status
  verbs:
  - get
  - list
  - create
- apiGroups:
  - metrics.k8s.io
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  - apps
  resources:
  - deployments
  - deployments/scale
  - deployments/status
  verbs:
  - get
  - list
  - watch
  - update
  - patch
  - create
- apiGroups:
  - ""
  - project.openshift.io
  resources:
  - projects
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - namespaces
  - namespaces/status
  verbs:
  - get
  - list
  - watch
~~~
3. Now view from GUI and CLI it works fine.
4. Edit the role and add deployment httpd as resourceNames and it fails with below error.
~~~
oc edit role role-test

- apiGroups:
  - ""
  - apps
  resourceNames:
  - httpd
  resources:
  - deployments
  - deployments/scale
  - deployments/status
  verbs:

~~~
~~~
deployments.apps is forbidden: User "user1" cannot list resource "deployments" in API group "apps" in the namespace "test-secret"
~~~

5. But same thing from CLI, if we check by giving the deployment name it works but when checking all the deployment it fails. 
~~~
$ oc get deployment httpd
NAME    READY   UP-TO-DATE   AVAILABLE   AGE
httpd   1/1     1            1           28m

$ oc get deployment
Error from server (Forbidden): deployments.apps is forbidden: User "user1" cannot list resource "deployments" in API group "apps" in the namespace "test-secret"

$ oc get deployment apache
Error from server (Forbidden): deployments.apps "apache" is forbidden: User "user1" cannot get resource "deployments" in API group "apps" in the namespace "test-secret"

      Actual results:

      The deployment list is not returned when checking from both CLI and GUI
~~~
$ oc get deployment 
Error from server (Forbidden): deployments.apps is forbidden: User "user1" cannot list resource "deployments" in API group "apps" in the namespace "test-secret"
~~~

      Expected results:

      The deployment list should show the name of deployment on which the user has access.

      Additional info:

       

              slaznick@redhat.com Stanislav Láznička (Inactive)
              rhn-support-pkhilare Pawan Khilare
              None
              None
              Xingxing Xia Xingxing Xia
              None
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: