Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-7689

Project Admin is able to Label project with empty string in RHOCP 4

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • None
    • 4.10.z
    • openshift-apiserver
    • Important
    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      Cause: The project validation mistakes a label with empty value as a missing label.
      Consequence: The project validation didn't catch the issue when a new label with an empty value is added to the project when it isn't allowed to do so.
      Fix: The project validation will check for label with empty value when validating the project modification request.
      Result: The loop hole for adding a label with empty value to project post-creation is closed.
      Show
      Cause: The project validation mistakes a label with empty value as a missing label. Consequence: The project validation didn't catch the issue when a new label with an empty value is added to the project when it isn't allowed to do so. Fix: The project validation will check for label with empty value when validating the project modification request. Result: The loop hole for adding a label with empty value to project post-creation is closed.

      Description of problem:

      Observed inconsistency between Project and Namespace. Label added for the project when entered empty string. However the label or annotate with a string value to a Namespace or project doesn't work.

      Version-Release number of selected component (if applicable):

       

      How reproducible:

       

      Steps to Reproduce:

      1. Create a project : `$ oc create namespace testproject`
2. Assign admin access to user : `$ oc adm policy add-role-to-user admin testuser -n testproject`
3. Login with the user : `$ oc login -u testuser`
4. Label ns : `$ oc label ns testproject test1=label1`
5. Annotate ns : `$ oc annotate ns testproject openshift.io/node-selector=test2=test2`
6. Label project : `$ oc label project testproject test1=label1` 
7. Annotate project : `$ oc annotate project testproject openshift.io/node-selector=test2=test2`
8. Label project (this specific label worked): `$ oc label project testproject policy-group.network.openshift.io/ingress=""`

      Actual results:

      When a new label with non-empty string is added to a project, validation error will occur . And when a new label with empty string is added to a project, the project is labeled :
~~~
$ oc label project testproject policy-group.network.openshift.io/ingress=""` project.project.openshift.io/testproject labeled
~~~

      Expected results:

       

      Additional info:

      The project Admin does not have access to modify the project/namespace resource itself.

Label ns : `$ oc label ns testproject test1=label1`
~~~
Error from server (Forbidden): namespaces "testproject" is forbidden: User "testuser" cannot patch resource "namespaces" in API group "" in the namespace "testproject"
~~~
Annotate ns : `$ oc annotate ns testproject openshift.io/node-selector=test2=test2`
~~~
Error from server (Forbidden): namespaces "testproject" is forbidden: User "testuser" cannot patch resource "namespaces" in API group "" in the namespace "testproject"
~~~

Label project : `$ oc label project testproject test1=label1`
~~~
The Project "testproject" is invalid: metadata.labels[test1]: Invalid value: "label1": field is immutable, , try updating the namespace
~~~ 
Annotate project : `$ oc annotate project testproject openshift.io/node-selector=test2=test2`
~~~   
The Project "testproject" is invalid: metadata.annotations[openshift.io/node-selector]: Invalid value: "test2=test2": field is immutable, try updating the namespace 
~~~

However when tried with empty string : It worked :
~~~
$ oc label project testproject policy-group.network.openshift.io/ingress=""
project.project.openshift.io/testproject labeled
~~~

       

              vdinh@redhat.com Vu Dinh
              rhn-support-sdharma Suruchi Dharma
              Rahul Gangwar Rahul Gangwar
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: