-
Notifications
You must be signed in to change notification settings - Fork 357
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Inconsistent v2/v3 behavior around creating new orgs + assigning roles #1879
Comments
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/175042021 The labels on this github issue will be updated when the story is started. |
I was able to reproduce this by upgrading to the v7 client as well. If someone has any ideas where to look or what files need modified I have a test cluster up and running to validate if needed. |
It seems like this is the relevant code in v2: https://github.com/cloudfoundry/cloud_controller_ng/blob/master/app/controllers/runtime/organizations_controller.rb#L357-L364 From that, it appears that v2 does indeed add the authenticated user as both an "org user" and an "org manager" in the newly created org after it's created. I'm not sure if v3's change in behavior was intentional, though. I know (from working on it!) that v3 users & roles are super tricky. There were a few decisions made that tried to correct weirdnesses in v2, but I can't remember if this was one. cc @Gerg 👀 |
Thank you! |
The fix for this issue was released in capi-release 1.105. Thank you for raising this issue! |
Issue
Inconsistent behavior around creating new orgs + assigning roles between v2 and v3.
Steps to Reproduce
We reproduced this on CAPI 3.88.0.
Using the v7 CLI (fails) and the v6 CLI (works):
v7:
cf7 enable-feature-flag user_org_creation
cf7 create-user pluot pluot
and login withcf7 login -u pluot -p pluot
cf7 create-org pluot -v
POST /v3/organizations
succeeds in creating the org, but thePOST /v3/roles
to add the current user as a manager in that org fails with a 403.v6:
cf6 enable-feature-flag user_org_creation
cf6 create-user pluot pluot
and login withcf6 login -u pluot -p pluot
cf6 create-org pluot -v
POST /v2/organizations
succeeds in creating the org, and thePUT /v2/organizations/:guid/managers
to add the current user as a manager in that org succeeds.Expected result
Behavior should be consistent.
Current result
Inconsistent!
Possible Fix
Unsure, but maybe the v2 create-org endpoint adds the authenticated user as an "org user" automatically, but v3 doesn't. So when the same user tries to add a role in that org, in v3 they don't have permission?
cc @belinda-liu
The text was updated successfully, but these errors were encountered: