Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-533

member loses rights after some other user login

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • None
    • 4.12
    • apiserver-auth
    • None
    • +
    • Important
    • Auth - Sprint 224, Auth - Sprint 225, Auth - Sprint 226
    • 3
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, adding a member could remove previous members from a group. As a result, the user lost group privileges. With this release, the dependencies were bumped and users no longer loose group privlides. (link:https://issues.redhat.com/browse/OCPBUGS-533[*OCPBUGS-533*])
      Show
      * Previously, adding a member could remove previous members from a group. As a result, the user lost group privileges. With this release, the dependencies were bumped and users no longer loose group privlides. (link: https://issues.redhat.com/browse/OCPBUGS-533 [* OCPBUGS-533 *])
    • Bug Fix
    • Done

    Description

      Description of problem:

      customer is using Azure AD as openid provider and groups synchronization from the provider.

      The scenario is the following:

      1)

      • user A login.
        groups are created with the membership.
        User A is member of a group with admin rights and it's cluster-admin

      2)

      • user B login:
        groups are updated with membership
        UserB is also member of the group with admin rights and it's cluster admin

      3)

      • user A login:
        groups are identical as in the former step.
        user A has no administration rights.

      The groups memberships are the same in step 2 and 3.
      The cluster role bindings of the groups have never changed.

      the only way to have user A again the admin rights is to delete the membership from the group and have user A login again.

      I have not managed to reproduce this using RH SSO. Neither Azure AD.

      But my configuration is not exactly the same yet.

      Version-Release number of selected component (if applicable):

      How reproducible:

      Steps to Reproduce:
      1.
      2.
      3.

      Actual results:

      Expected results:

      Additional info:

       

      Attachments

        Issue Links

          account is impacted by

          Bug - A problem that impairs or prevents the functions of the product. AUTH-294 Adding a 2nd user to a group breaks permissions

          • Undefined - Priority not specified.
          • Closed
          blocks

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-2140 member loses rights after some other user login in openid / group sync

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          impacts account

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-2964 add case for OCPBUGS-533

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-2140 member loses rights after some other user login in openid / group sync

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-2553 [release-4.10] member loses rights after some other user login in openid / group sync

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-7326 The CRD resources are not removed when uninstall the OpenShift Serverless operator

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          is duplicated by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-805 Azure AD authentication group sync issue

          • Undefined - Priority not specified.
          • Closed

          Activity

            People

              kostrows@redhat.com Krzysztof Ostrowski
              rhn-support-gparente German Parente
              ying zhou ying zhou
              Votes:
              3 Vote for this issue
              Watchers:
              18 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: