Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-2140

member loses rights after some other user login in openid / group sync

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Done
    • 4.11
    • None
    • apiserver-auth
    • None
    • Important
    • Rejected
    • Hide

      None

      Show
      None
    • If Release Note Needed, Set a Value
    • Set a Value

    Description

      This is a clone of issue OCPBUGS-533. The following is the description of the original issue:

      Description of problem:

      customer is using Azure AD as openid provider and groups synchronization from the provider.

      The scenario is the following:

      1)

      • user A login.
        groups are created with the membership.
        User A is member of a group with admin rights and it's cluster-admin

      2)

      • user B login:
        groups are updated with membership
        UserB is also member of the group with admin rights and it's cluster admin

      3)

      • user A login:
        groups are identical as in the former step.
        user A has no administration rights.

      The groups memberships are the same in step 2 and 3.
      The cluster role bindings of the groups have never changed.

      the only way to have user A again the admin rights is to delete the membership from the group and have user A login again.

      I have not managed to reproduce this using RH SSO. Neither Azure AD.

      But my configuration is not exactly the same yet.

      Version-Release number of selected component (if applicable):

      How reproducible:

      Steps to Reproduce:
      1.
      2.
      3.

      Actual results:

      Expected results:

      Additional info:

      Attachments

        Issue Links

          Activity

            People

              kostrows@redhat.com Krzysztof Ostrowski
              openshift-crt-jira-prow OpenShift Prow Bot
              ying zhou ying zhou
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: