Uploaded image for project: 'Red Hat OpenShift Data Science'
  1. Red Hat OpenShift Data Science
  2. RHODS-5100

Cluster admins user do not get RHODS admin access if CRB is defined for a group

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • RHODS_1.17.0_GA
    • RHODS_1.16.0_GA
    • UI
    • False
    • None
    • False
    • Hide

      RHODS admin access granted for all the cluster admins

      Show
      RHODS admin access granted for all the cluster admins
    • Release Notes
    • No
    • 1.17.0-9
    • No
    • Hide
      Group role bindings were not applied to cluster administrators
      Previously, if you had assigned cluster admin privileges to a group rather than a specific user, the dashboard failed to recognize administrative privileges for users in the administrative group.
      Group role bindings are now correctly applied to cluster administrators as expected.
      Show
      Group role bindings were not applied to cluster administrators Previously, if you had assigned cluster admin privileges to a group rather than a specific user, the dashboard failed to recognize administrative privileges for users in the administrative group. Group role bindings are now correctly applied to cluster administrators as expected.
    • Documented as Resolved Issue
    • No
    • Yes
    • None
    • RHODS 1.17
    • High

      Description of problem:

      If cluster admin privileges are assign to a group instead of specific user the Dashboard does not recognize the users from that group as RHODS Admin. 

      Bug related to https://issues.redhat.com/browse/RHODS-2740 

      Prerequisites (if any, like setup, operators/versions):

      Steps to Reproduce

      1. Assign cluster admin permission to an Openshift group
      2. Log in RHODS Dashboard using one of the users belonging to the group from point 1
      3. check if you have access to "Settings" section
      4. Assign cluster admin permission to a specific user rather than a group
      5. repeat point 2 and 3

      Actual results:

      • no RHODS admin access for cluster admin "group"
      • RHODS admin access granted for cluster admin "user"

      Expected results:

      RHODS admin access granted for all the cluster admins

      Reproducibility (Always/Intermittent/Only Once):

      Always

      Build Details:

      RHODS v1.16

      Workaround:

      Assign cluster admin permissions using this kind of ClusterRoleBinding:

      apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: my-user-cluster-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: User
    apiGroup: rbac.authorization.k8s.io
    name: my-user

      Additional info:.

      CRB for cluster admin "group"

      kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
   name: osd-cluster-admin
labels:
    hive.openshift.io/managed: 'true'
managedFields:
   - kind: Group
      apiGroup: rbac.authorization.k8s.io
      name: cluster-admins
subjects:     
   - kind: Group         
     apiGroup: rbac.authorization.k8s.io         
     name: my-user-group
roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: cluster-admin

        1. 5100.png
          132 kB
          Milind Waykole

            lferrnan@redhat.com Lucas Fernandez Aragon
            rhn-support-bdattoma Berto D'Attoma
            Milind Waykole Milind Waykole
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: