Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-43306

User impersonation isn't working for users in a single group in RHOCP4

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • 4.16.z
    • apiserver-auth
    • Moderate
    • None
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      Ability to impersonate user who has privileges from single group is not working in RHOCP4

This is a LDAP user. The user is part of only one group. This group has only 1 user. After assigning permissions to the group, group impersonation is working as expected.
However user impersonation is not working.
Tried to check if user has permissions from CLI and it is working as expected.

Even though the permissions assigned to the group are also assigned to the user part of the same group, the user impersonation is not working.

      Version-Release number of selected component (if applicable):

      4.16.10

      How reproducible:

      100%

      Steps to Reproduce:

      1. Create a user
2. Create a group
3. Add user in the created group
4. Assign permissions to the group
5. Check if group impersonation working
6 Check if User impersonation is working

      Actual results:

      After assigning permissions to the group, group impersonation working as expected. However the user part of this group is unable to impersonate.

      Expected results:

      After assigning permissions to the group, group impersonation as well as user impersonation should work as expected.

      Additional info:

      Synchronization configMap:
~~~
kind: LDAPSyncConfig
apiVersion: v1
url: "ldap://example.lux:389"
insecure: true
bindDN: svc_openshift_ldap
bindPassword:
  file: "/etc/secrets/bindPassword"
augmentedActiveDirectory:
  groupsQuery:
    baseDN: "ou=Groups,ou=Telindus,dc=example,dc=lux"
    scope: sub
    derefAliases: never
    pageSize: 0
  groupUIDAttribute: dn
  groupNameAttributes: [ cn ]
  usersQuery:
     baseDN: "ou=BTM Users,dc=example,dc=lux"
     scope: sub
     derefAliases: never
     filter: (objectclass=*)
     pageSize: 0
  userNameAttributes: [ sAMAccountName ]
  groupMembershipAttributes: [ memberOf ]
~~~

Group synchronization:
~~~
kind: Group
apiVersion: user.openshift.io/v1
metadata:
  name: OCP-MIT-test
  uid: eade3e57-5715-4dd9-9d5a-18c92c4536fb
  resourceVersion: '229087129'
  creationTimestamp: '2024-10-11T08:42:02Z'
  labels:
    openshift.io/ldap.host: example.lux
  annotations:
    openshift.io/ldap.sync-time: '2024-10-11T09:45:04Z'
    openshift.io/ldap.uid: 'cn=OCP-MIT-test,OU=Groups,OU=Telindus,DC=example,DC=lux'
    openshift.io/ldap.url: 'example.lux:389'
  
users:
  - openshift_test
~~~

$ oc get users | grep -i openshift_test
openshift_test      01f87d46-a451-4a0b-bc00-08975447d5f2   openshift_test                          ldap-mit:b3BlbnNoaWZ0X3Rlc3Q

$ oc get groups
NAME             USERS
OCP-MIT-test     openshift_test

              Unassigned Unassigned
              rhn-support-sdharma Suruchi Dharma
              YaDan Pei YaDan Pei
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: