Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-266

Project Access tab cannot differentiate between users and groups

XMLWordPrintable

    • Moderate
    • ODC Sprint 225, ODC Sprint 226, ODC Sprint 227, ODC Sprint 229, ODC Sprint 230, ODC Sprint 231, ODC Sprint 232
    • 7
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, there was no way to differentiate between a user group and a service account in the *Project Access* tab. Also, there was no way to bind a role to a user group or a service account. With this fix, a subject dropdown is added to select a kind you want to bind a role to. The `ServiceAccount` kind also allows you to select the namespace. (link:https://issues.redhat.com/browse/OCPBUGS-266[*OCPBUGS-266*])
      Show
      * Previously, there was no way to differentiate between a user group and a service account in the *Project Access* tab. Also, there was no way to bind a role to a user group or a service account. With this fix, a subject dropdown is added to select a kind you want to bind a role to. The `ServiceAccount` kind also allows you to select the namespace. (link: https://issues.redhat.com/browse/OCPBUGS-266 [* OCPBUGS-266 *])
    • Bug Fix
    • Done

      Description of problem: I am working with a customer who uses the web console.  From the Developer Perspective's Project Access tab, they cannot differentiate between users and groups and furthermore cannot add groups from this web console.  This has led to confusion whether existing resources were in fact users or groups, and furthermore they have added users when they intended to add groups instead.  What we really need is a third column in the Project Access tab that says whether a resource is a user or group.

       

      Version-Release number of selected component (if applicable): This is an issue in OCP 4.10 and 4.11, and I presume future versions as well

      How reproducible: Every time.  My customer is running on ROSA, but I have determined this issue to be general to OpenShift.

      Steps to Reproduce:

      From the oc cli, I create a group and add a user to it.

      $ oc adm groups new techlead
      group.user.openshift.io/techlead created
      $ oc adm groups add-users techlead admin
      group.user.openshift.io/techlead added: "admin"
      $ oc get groups
      NAME                                     USERS
      cluster-admins                           
      dedicated-admins                         admin
      techlead   admin
      I create a new namespace so that I can assign a group project level access:

      $ oc new-project my-namespace

      $ oc adm policy add-role-to-group edit techlead -n my-namespace
      I then went to the web console -> Developer perspective -> Project -> Project Access.  I verified the rolebinding named 'edit' is bound to a group named 'techlead'.

      $ oc get rolebinding
      NAME                                                              ROLE                                   AGE
      admin                                                             ClusterRole/admin                      15m
      admin-dedicated-admins                                            ClusterRole/admin                      15m
      admin-system:serviceaccounts:dedicated-admin                      ClusterRole/admin                      15m
      dedicated-admins-project-dedicated-admins                         ClusterRole/dedicated-admins-project   15m
      dedicated-admins-project-system:serviceaccounts:dedicated-admin   ClusterRole/dedicated-admins-project   15m
      edit                                                              ClusterRole/edit                       2m18s
      system:deployers                                                  ClusterRole/system:deployer            15m
      system:image-builders                                             ClusterRole/system:image-builder       15m
      system:image-pullers                                              ClusterRole/system:image-puller        15m

      $ oc get rolebinding edit -o yaml
      apiVersion: rbac.authorization.k8s.io/v1
      kind: RoleBinding
      metadata:
        creationTimestamp: "2022-08-15T14:16:56Z"
        name: edit
        namespace: my-namespace
        resourceVersion: "108357"
        uid: 4abca27d-08e8-43a3-b9d3-d20d5c294bbe
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: edit
      subjects:

      • apiGroup: rbac.authorization.k8s.io
          kind: Group
          name: techlead
        Now, from the same Project Access tab in the web console, I added the developer with role "View".  From this web console, it is unclear whether developer and techlead are users or groups.

      Now back to the CLI, I view the newly created rolebinding named 'developer-view-c15b720facbc8deb', and find that the "View" role is assigned to a user named 'developer', rather than a group.

      $ oc get rolebinding                                                                      
      NAME                                                              ROLE                                   AGE
      admin                                                             ClusterRole/admin                      17m
      admin-dedicated-admins                                            ClusterRole/admin                      17m
      admin-system:serviceaccounts:dedicated-admin                      ClusterRole/admin                      17m
      dedicated-admins-project-dedicated-admins                         ClusterRole/dedicated-admins-project   17m
      dedicated-admins-project-system:serviceaccounts:dedicated-admin   ClusterRole/dedicated-admins-project   17m
      edit                                                              ClusterRole/edit                       4m25s
      developer-view-c15b720facbc8deb     ClusterRole/view                       90s
      system:deployers                                                  ClusterRole/system:deployer            17m
      system:image-builders                                             ClusterRole/system:image-builder       17m
      system:image-pullers                                              ClusterRole/system:image-puller        17m
      [10:21:21] kechung:~ $ oc get rolebinding developer-view-c15b720facbc8deb -o yaml
      apiVersion: rbac.authorization.k8s.io/v1
      kind: RoleBinding
      metadata:
        creationTimestamp: "2022-08-15T14:19:51Z"
        name: developer-view-c15b720facbc8deb
        namespace: my-namespace
        resourceVersion: "113298"
        uid: cc2d1b37-922b-4e9b-8e96-bf5e1fa77779
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: view
      subjects:

      • apiGroup: rbac.authorization.k8s.io
          kind: User
          name: developer

      So in conclusion, from the Project Access tab, we're unable to add groups and unable to differentiate between users and groups.  This is in essence our ask for this RFE.

       

      Actual results:

      Developer perspective -> Project -> Project Access tab shows a list of resources which can be users or groups, but does not differentiate between them.  Furthermore, when we add resources, they are only users and there is no way to add a group from this tab in the web console.

       

      Expected results:

      Should have the ability to add groups and differentiate between users and groups.  Ideally, we're looking at a third column for user or group.

       

      Additional info:

            dsantra12 Debsmita Santra
            rhn-support-kechung Kevin Chung
            Sanket Pathak Sanket Pathak
            Votes:
            1 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: