Skip to content

[regression] oc explain doesn't work #17872

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
php-coder opened this issue Dec 19, 2017 · 5 comments
Closed

[regression] oc explain doesn't work #17872

php-coder opened this issue Dec 19, 2017 · 5 comments
Assignees
@juanvallejo
Labels
component/auth component/cli kind/bug Categorizes issue or PR as related to a bug. priority/P1

Comments

@php-coder
Copy link
Contributor

oc explain doesn't work anymore on the latest version:

$ oc explain Pod
Error from server (Forbidden): unknown
Version

oc v3.9.0-alpha.0+1c24d18-233-dirty
kubernetes v1.8.1+0d5291c
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://10.34.129.148:8443
openshift v3.9.0-alpha.0+1c24d18-233-dirty
kubernetes v1.8.1+0d5291c

Steps To Reproduce
  1. oc cluster up --version=latest
  2. oc explain Pod
Current Result
$ oc explain Pod --loglevel=8
I1219 11:28:07.046240   27763 loader.go:357] Config loaded from file /home/coder/.kube/config
I1219 11:28:07.058325   27763 round_trippers.go:414] GET https://10.34.129.148:8443/swagger-2.0.0.pb-v1
I1219 11:28:07.058338   27763 round_trippers.go:421] Request Headers:
I1219 11:28:07.058346   27763 round_trippers.go:424]     Accept: application/json, */*
I1219 11:28:07.058353   27763 round_trippers.go:424]     User-Agent: oc/v1.8.1+0d5291c (linux/amd64) kubernetes/0d5291c
I1219 11:28:07.058359   27763 round_trippers.go:424]     Authorization: Bearer zMHaSA8jdJtUPX9cDEPdT9TSbzXqRsQSaZxXCQYi-eQ
I1219 11:28:07.068940   27763 round_trippers.go:439] Response Status: 403 Forbidden in 10 milliseconds
I1219 11:28:07.068962   27763 round_trippers.go:442] Response Headers:
I1219 11:28:07.068973   27763 round_trippers.go:445]     Content-Type: application/json
I1219 11:28:07.068980   27763 round_trippers.go:445]     X-Content-Type-Options: nosniff
I1219 11:28:07.068989   27763 round_trippers.go:445]     Content-Length: 260
I1219 11:28:07.068996   27763 round_trippers.go:445]     Date: Tue, 19 Dec 2017 10:28:07 GMT
I1219 11:28:07.069003   27763 round_trippers.go:445]     Cache-Control: no-store
I1219 11:28:07.069081   27763 request.go:873] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User \"developer\" cannot get path \"/swagger-2.0.0.pb-v1\": User \"developer\" cannot \"get\" on \"/swagger-2.0.0.pb-v1\"","reason":"Forbidden","details":{},"code":403}
I1219 11:28:07.069282   27763 helpers.go:201] server response object: [{
  "metadata": {},
  "status": "Failure",
  "message": "unknown",
  "reason": "Forbidden",
  "details": {
	"causes": [
	  {
		"reason": "UnexpectedServerResponse",
		"message": "unknown"
	  }
	]
  },
  "code": 403
}]
F1219 11:28:07.069316   27763 helpers.go:119] Error from server (Forbidden): unknown
$ oc policy can-i get /swagger-2.0.0.pb-v1
no
Expected Result

Pod schema should be displayed.
@php-coder php-coder added component/auth kind/bug Categorizes issue or PR as related to a bug. labels Dec 19, 2017
@php-coder
Copy link
Contributor Author

CC @enj @deads2k @liggitt

@php-coder
Copy link
Contributor Author

I tried to use older versions but it didn't work too, that surprised me. I tried to remove ~/.kube but the error remains the same. I tried to grant system:discovery role (and clusterrole) to the developer and it also didn't work. I don't know what is it.

@deads2k
Copy link
Contributor

deads2k commented Dec 19, 2017

Is this different than #17766 ? When you run as a cluster-admin does it work or fail?

@deads2k deads2k mentioned this issue Dec 19, 2017
Merged
@deads2k
Copy link
Contributor

deads2k commented Dec 19, 2017

Opened #17874 for permissions, but I still suspect it will fail

@php-coder
Copy link
Contributor Author

Is this different than #17766 ?

Looks like the same.

When you run as a cluster-admin does it work or fail?

Yes, it works.

@php-coder php-coder marked this as a duplicate of #17766 Dec 19, 2017
@php-coder php-coder marked this as not a duplicate of #17766 Dec 19, 2017
@php-coder php-coder reopened this Dec 19, 2017
openshift-merge-robot added a commit that referenced this issue Dec 20, 2017
@openshift-merge-robot
Merge pull request #17874 from deads2k/rbac-06-permission
31367ee 
Automatic merge from submit-queue (batch tested with PRs 17744, 17840, 17874).

add swagger permissions

Fixes permission problem from #17872

/assign php-coder
/assign simo5

@openshift/sig-security 

@php-coder see if this gets you to the next failure.
This was referenced Jan 12, 2018
Closed
Merged
Merged
k8s-github-robot pushed a commit to kubernetes/kubernetes that referenced this issue Jan 20, 2018
Merge pull request #58466 from juanvallejo/jvallejo/update-openapi-ex…
0a427a9 
…t-gvk-parsing

Automatic merge from submit-queue (batch tested with PRs 53895, 58013, 58466, 58531, 58535). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

tolerate more than one gvklist item

Some third-party resources could be part of more than one api group.
Allow this to be the case when adding openapi models to openapi data,
and default to the first item as the gvk key for that model.

Related downstream issue: openshift/origin#17872

**Release note**:
```release-note
NONE
```
cc @deads2k @soltysh
openshift-merge-robot added a commit that referenced this issue Jan 23, 2018
@openshift-merge-robot
Merge pull request #18157 from juanvallejo/jvallejo/update-openapi-ex…
cf406ea 
…t-gvk-parsing

Automatic merge from submit-queue.

UPSTREAM: 58466: tolerate more than one gvklist item

Fixes #17872
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1536845
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1529447

Origin resources, like deployment configs, are part of two api groups -
the legacy "empty" group, and, in cases like deploymentconfigs, the
"apps.openshift.io" group.

**Before**
```
$ oc explain dc
error: Couldn't find resource for "/v1, Kind=DeploymentConfig"
```

**After**
```
$ oc explain dc
DESCRIPTION:
     Deployment Configs define the template for a pod and manages deploying new
     images or configuration changes. A single deployment configuration is
     usually analogous to a single micro-service. Can support many different
     deployment patterns, including full restart, customizable rolling updates,
...
```

cc @deads2k @soltysh
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@juanvallejo juanvallejo

Labels
component/auth component/cli kind/bug Categorizes issue or PR as related to a bug. priority/P1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@php-coder @juanvallejo @pweil- @deads2k