Uploaded image for project: 'Red Hat OpenShift Data Science'
  1. Red Hat OpenShift Data Science
  2. RHODS-5100

Cluster admins user do not get RHODS admin access if CRB is defined for a group

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • RHODS_1.17.0_GA
    • RHODS_1.16.0_GA
    • UI
    • False
    • None
    • False
    • Hide

      RHODS admin access granted for all the cluster admins

      Show
      RHODS admin access granted for all the cluster admins
    • Release Notes
    • No
    • 1.17.0-9
    • No
    • Hide
      Group role bindings were not applied to cluster administrators
      Previously, if you had assigned cluster admin privileges to a group rather than a specific user, the dashboard failed to recognize administrative privileges for users in the administrative group.
      Group role bindings are now correctly applied to cluster administrators as expected.
      Show
      Group role bindings were not applied to cluster administrators Previously, if you had assigned cluster admin privileges to a group rather than a specific user, the dashboard failed to recognize administrative privileges for users in the administrative group. Group role bindings are now correctly applied to cluster administrators as expected.
    • Documented as Resolved Issue
    • No
    • Yes
    • None
    • RHODS 1.17
    • High

    Description

      Description of problem:

      If cluster admin privileges are assign to a group instead of specific user the Dashboard does not recognize the users from that group as RHODS Admin. 

      Bug related to https://issues.redhat.com/browse/RHODS-2740 

      Prerequisites (if any, like setup, operators/versions):

      Steps to Reproduce

      1. Assign cluster admin permission to an Openshift group
      2. Log in RHODS Dashboard using one of the users belonging to the group from point 1
      3. check if you have access to "Settings" section
      4. Assign cluster admin permission to a specific user rather than a group
      5. repeat point 2 and 3

      Actual results:

      • no RHODS admin access for cluster admin "group"
      • RHODS admin access granted for cluster admin "user"

      Expected results:

      RHODS admin access granted for all the cluster admins

      Reproducibility (Always/Intermittent/Only Once):

      Always

      Build Details:

      RHODS v1.16

      Workaround:

      Assign cluster admin permissions using this kind of ClusterRoleBinding:

      apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: my-user-cluster-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: User
    apiGroup: rbac.authorization.k8s.io
    name: my-user

      Additional info:.

      CRB for cluster admin "group"

      kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
   name: osd-cluster-admin
labels:
    hive.openshift.io/managed: 'true'
managedFields:
   - kind: Group
      apiGroup: rbac.authorization.k8s.io
      name: cluster-admins
subjects:     
   - kind: Group         
     apiGroup: rbac.authorization.k8s.io         
     name: my-user-group
roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: cluster-admin

      Attachments

        Issue Links

          duplicates

          Bug - A problem that impairs or prevents the functions of the product. RHODS-5200 Are cluster-admins really automatically added as Data Science admins

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          is caused by

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. RHODS-2740 Admin UI for mapping RHODS groups

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          relates to

          Bug - A problem that impairs or prevents the functions of the product. RHODS-5420 Cluster admin does not get RHODS Admin access if it's the only user in the cluster

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              lferrnan@redhat.com Lucas Fernandez Aragon
              rhn-support-bdattoma Berto D'Attoma
              Milind Waykole Milind Waykole
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: