Uploaded image for project: 'Red Hat OpenShift Data Science'
  1. Red Hat OpenShift Data Science
  2. RHODS-5100

Cluster admins user do not get RHODS admin access if CRB is defined for a group

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • RHODS_1.17.0_GA
    • RHODS_1.16.0_GA
    • UI
    • False
    • None
    • False
    • Hide

      RHODS admin access granted for all the cluster admins

      Show
      RHODS admin access granted for all the cluster admins
    • Release Notes
    • No
    • 1.17.0-9
    • No
    • Hide
      Group role bindings were not applied to cluster administrators
      Previously, if you had assigned cluster admin privileges to a group rather than a specific user, the dashboard failed to recognize administrative privileges for users in the administrative group.
      Group role bindings are now correctly applied to cluster administrators as expected.
      Show
      Group role bindings were not applied to cluster administrators Previously, if you had assigned cluster admin privileges to a group rather than a specific user, the dashboard failed to recognize administrative privileges for users in the administrative group. Group role bindings are now correctly applied to cluster administrators as expected.
    • Documented as Resolved Issue
    • No
    • Yes
    • None
    • RHODS 1.17
    • Important

      Description of problem:

      If cluster admin privileges are assign to a group instead of specific user the Dashboard does not recognize the users from that group as RHODS Admin. 

      Bug related to https://issues.redhat.com/browse/RHODS-2740 

      Prerequisites (if any, like setup, operators/versions):

      Steps to Reproduce

      1. Assign cluster admin permission to an Openshift group
      2. Log in RHODS Dashboard using one of the users belonging to the group from point 1
      3. check if you have access to "Settings" section
      4. Assign cluster admin permission to a specific user rather than a group
      5. repeat point 2 and 3

      Actual results:

      • no RHODS admin access for cluster admin "group"
      • RHODS admin access granted for cluster admin "user"

      Expected results:

      RHODS admin access granted for all the cluster admins

      Reproducibility (Always/Intermittent/Only Once):

      Always

      Build Details:

      RHODS v1.16

      Workaround:

      Assign cluster admin permissions using this kind of ClusterRoleBinding:

      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        name: my-user-cluster-admin
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: cluster-admin
      subjects:
        - kind: User
          apiGroup: rbac.authorization.k8s.io
          name: my-user

      Additional info:.

      CRB for cluster admin "group"

      kind: ClusterRoleBinding
      apiVersion: rbac.authorization.k8s.io/v1
      metadata:
         name: osd-cluster-admin
      labels:
          hive.openshift.io/managed: 'true'
      managedFields:
         - kind: Group
            apiGroup: rbac.authorization.k8s.io
            name: cluster-admins
      subjects:     
         - kind: Group         
           apiGroup: rbac.authorization.k8s.io         
           name: my-user-group
      roleRef:
         apiGroup: rbac.authorization.k8s.io
         kind: ClusterRole
         name: cluster-admin
      
      

              lferrnan@redhat.com Lucas Fernandez Aragon
              rhn-support-bdattoma Berto D'Attoma
              Milind Waykole Milind Waykole
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: