Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-2553

[release-4.10] member loses rights after some other user login in openid / group sync

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • None
    • 4.10
    • apiserver-auth
    • None
    • Important
    • Rejected
    • Hide

      None

      Show
      None
    • Customer Escalated

    Description

      This is a clone of issue OCPBUGS-533. The following is the description of the original issue:

      Description of problem:

      customer is using Azure AD as openid provider and groups synchronization from the provider.

      The scenario is the following:

      1)

      • user A login.
        groups are created with the membership.
        User A is member of a group with admin rights and it's cluster-admin

      2)

      • user B login:
        groups are updated with membership
        UserB is also member of the group with admin rights and it's cluster admin

      3)

      • user A login:
        groups are identical as in the former step.
        user A has no administration rights.

      The groups memberships are the same in step 2 and 3.
      The cluster role bindings of the groups have never changed.

      the only way to have user A again the admin rights is to delete the membership from the group and have user A login again.

      I have not managed to reproduce this using RH SSO. Neither Azure AD.

      But my configuration is not exactly the same yet.

      Version-Release number of selected component (if applicable):

      How reproducible:

      Steps to Reproduce:
      1.
      2.
      3.

      Actual results:

      Expected results:

      Additional info:

       

      Attachments

        Issue Links

          clones

          Bug - A problem which impairs or prevents the functions of the product. OCPBUGS-533 member loses rights after some other user login

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          depends on

          Bug - A problem which impairs or prevents the functions of the product. OCPBUGS-2140 member loses rights after some other user login in openid / group sync

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          links to

          GitHub openshift/oauth-apiserver#85: [release-4.10] OCPBUGS-2553: bump kube to 1.23.12 to fix group sync

          GitHub openshift/openshift-apiserver#323: [release-4.10] OCPBUGS-2553: bump to kube 1.23.12

          Activity

            Public project attachment banner

              context keys: [headless, issue, helper, isAsynchronousRequest, project, action, user]
              current Project key: OCPBUGS

              People

                kostrows@redhat.com Krzysztof Ostrowski
                rhn-support-gparente German Parente
                ying zhou ying zhou
                Votes:
                0 Vote for this issue
                Watchers:
                10 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: