Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[k8s] Can't create Projects with low-permissioned users #42116

Closed
fabianvf opened this issue Jun 29, 2018 · 3 comments · Fixed by #42132
Closed

[k8s] Can't create Projects with low-permissioned users #42116

fabianvf opened this issue Jun 29, 2018 · 3 comments · Fixed by #42132
Labels
affects_2.6 This issue/PR affects Ansible v2.6 bug This issue/PR relates to a bug. k8s module This issue/PR relates to a module. support:community This issue/PR relates to code supported by the Ansible community.

Comments

@fabianvf
Copy link
Contributor

fabianvf commented Jun 29, 2018
edited

SUMMARY

Users can create projects using the oc new-project command, which creates a ProjectRequest object. The old Ansible module (openshift_raw) would automatically translate Project creation into ProjectRequest creation.

Even if you specify the ProjectRequest instead of Project kind, the request will still fail because the get will 403 (the user is not allowed to get a specific ProjectRequest).

ISSUE TYPE
  • Bug Report
COMPONENT NAME

k8s

ANSIBLE VERSION
ansible 2.6.0
  config file = /home/fabian/tmp/reproducer/forklift/containers/ansible.cfg
  configured module search path = [u'/home/fabian/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /home/fabian/Envs/system/lib/python2.7/site-packages/ansible
  executable location = /home/fabian/Envs/system/bin/ansible
  python version = 2.7.15 (default, May 15 2018, 15:37:31) [GCC 7.3.1 20180303 (Red Hat 7.3.1-5)]

`##### CONFIGURATION

ANSIBLE_NOCOWS(env: ANSIBLE_NOCOWS) = True
DEFAULT_HOST_LIST(/home/fabian/tmp/reproducer/forklift/containers/ansible.cfg) = [u'/home/fabian/tmp/reproducer/forklift/inventories']
DEFAULT_ROLES_PATH(/home/fabian/tmp/reproducer/forklift/containers/ansible.cfg) = [u'/home/fabian/tmp/reproducer/forklift/containers/deploy', u'/home/fabian/tmp/reproducer/forklift/roles']
DEFAULT_STDOUT_CALLBACK(/home/fabian/tmp/reproducer/forklift/containers/ansible.cfg) = debug
DEFAULT_VERBOSITY(/home/fabian/tmp/reproducer/forklift/containers/ansible.cfg) = 1
HOST_KEY_CHECKING(/home/fabian/tmp/reproducer/forklift/containers/ansible.cfg) = False
RETRY_FILES_ENABLED(/home/fabian/tmp/reproducer/forklift/containers/ansible.cfg) = False
OS / ENVIRONMENT

`
fedora 27
OpenShift 3.10

STEPS TO REPRODUCE
---
- hosts: localhost
  tasks:
  - name: project foreman
    k8s:
      state: present
      definition:
        apiVersion: project.openshift.io/v1
        kind: Project
        metadata:
          name: test
EXPECTED RESULTS

Project creation success

ACTUAL RESULTS

403 failure

PLAY [localhost] *************************************************************************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] *******************************************************************************************************************************************************************************************************************************************************************
ok: [localhost]

TASK [project foreman] *******************************************************************************************************************************************************************************************************************************************************************
fatal: [localhost]: FAILED! => {
    "changed": false, 
    "error": 403, 
    "reason": "Forbidden", 
    "status": 403
}

MSG:

Failed to retrieve requested object: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"projects.project.openshift.io \"test\" is forbidden: User \"developer\" cannot get projects.project.openshift.io in the namespace \"test\": User \"developer\" cannot get project \"test\"","reason":"Forbidden","details":{"name":"test","group":"project.openshift.io","kind":"projects"},"code":403}



PLAY RECAP *******************************************************************************************************************************************************************************************************************************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=1
@ansibot
Copy link
Contributor

ansibot commented Jun 29, 2018

Files identified in the description:

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibot
Copy link
Contributor

ansibot commented Jun 29, 2018

cc @chouseknecht @flaper87 @maxamillion
click here for bot help

@ansibot ansibot added affects_2.6 This issue/PR affects Ansible v2.6 bug This issue/PR relates to a bug. module This issue/PR relates to a module. needs_triage Needs a first human triage before being processed. support:community This issue/PR relates to code supported by the Ansible community. labels Jun 29, 2018
fabianvf added a commit to fabianvf/forklift that referenced this issue Jun 29, 2018
@fabianvf
use oc command until ansible/ansible#42116 is fixed
7b6185c
@s-hertel s-hertel removed the needs_triage Needs a first human triage before being processed. label Jun 29, 2018
ehelms pushed a commit to theforeman/forklift that referenced this issue Jun 29, 2018
@fabianvf @ehelms
Update to use newly released Ansible 2.6 k8s module (#767)
b0acd9a 
* workaround ansible/ansible#40185

* Create rolebinding with Ansible module

* remove unnecessary oc command

* explicitly define project with annotations

* _exec -> exec

* {openshift|k8s}_raw -> k8s

* Update required ansible version

* use oc command until ansible/ansible#42116 is fixed
@fabianvf fabianvf mentioned this issue Jun 29, 2018
Merged
@ansibot
Copy link
Contributor

ansibot commented Jul 15, 2018

cc @willthames
click here for bot help

@dagwieers dagwieers added the k8s label Feb 8, 2019
johnpmitsch pushed a commit to johnpmitsch/forklift that referenced this issue Jun 27, 2019
@fabianvf
Update to use newly released Ansible 2.6 k8s module (theforeman#767)
0d9fff3 
* workaround ansible/ansible#40185

* Create rolebinding with Ansible module

* remove unnecessary oc command

* explicitly define project with annotations

* _exec -> exec

* {openshift|k8s}_raw -> k8s

* Update required ansible version

* use oc command until ansible/ansible#42116 is fixed
@ansible ansible locked and limited conversation to collaborators Jul 22, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
affects_2.6 This issue/PR affects Ansible v2.6 bug This issue/PR relates to a bug. k8s module This issue/PR relates to a module. support:community This issue/PR relates to code supported by the Ansible community.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[k8s] Special case project creation so that it is possible fabianvf/ansible
4 participants
@dagwieers @fabianvf @ansibot @s-hertel