Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistent v2/v3 behavior around creating new orgs + assigning roles #1879

Closed
reidmit opened this issue Sep 29, 2020 · 6 comments
Closed

Inconsistent v2/v3 behavior around creating new orgs + assigning roles #1879

reidmit opened this issue Sep 29, 2020 · 6 comments
Labels
bug

Comments

@reidmit
Copy link
Contributor

reidmit commented Sep 29, 2020

Issue

Inconsistent behavior around creating new orgs + assigning roles between v2 and v3.

Steps to Reproduce

We reproduced this on CAPI 3.88.0.

Using the v7 CLI (fails) and the v6 CLI (works):

v7:

  1. Enable the user-org-creation feature flag with cf7 enable-feature-flag user_org_creation
  2. Create a new user with cf7 create-user pluot pluot and login with cf7 login -u pluot -p pluot
  3. Create an org as that user with cf7 create-org pluot -v
  4. Notice that command fails. The POST /v3/organizations succeeds in creating the org, but the POST /v3/roles to add the current user as a manager in that org fails with a 403.

v6:

  1. Enable the user-org-creation feature flag with cf6 enable-feature-flag user_org_creation
  2. Create a new user with cf6 create-user pluot pluot and login with cf6 login -u pluot -p pluot
  3. Create an org as that user with cf6 create-org pluot -v
  4. Notice that command succeeds. The POST /v2/organizations succeeds in creating the org, and the PUT /v2/organizations/:guid/managers to add the current user as a manager in that org succeeds.

Expected result

Behavior should be consistent.

Current result

Inconsistent!

Possible Fix

Unsure, but maybe the v2 create-org endpoint adds the authenticated user as an "org user" automatically, but v3 doesn't. So when the same user tries to add a role in that org, in v3 they don't have permission?

cc @belinda-liu
@cf-gitbot
Copy link

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/175042021

The labels on this github issue will be updated when the story is started.

@jgallucci32
Copy link

I was able to reproduce this by upgrading to the v7 client as well. If someone has any ideas where to look or what files need modified I have a test cluster up and running to validate if needed.

@reidmit
Copy link
Contributor Author

reidmit commented Sep 29, 2020
edited
Loading

It seems like this is the relevant code in v2: https://github.com/cloudfoundry/cloud_controller_ng/blob/master/app/controllers/runtime/organizations_controller.rb#L357-L364

From that, it appears that v2 does indeed add the authenticated user as both an "org user" and an "org manager" in the newly created org after it's created.

I'm not sure if v3's change in behavior was intentional, though. I know (from working on it!) that v3 users & roles are super tricky. There were a few decisions made that tried to correct weirdnesses in v2, but I can't remember if this was one.

cc @Gerg 👀

@Gerg Gerg removed the PM Review label Dec 18, 2020
@Gerg
Copy link
Member

Gerg commented Feb 1, 2021

This issue was addressed by e8c96c3 and ef4a74f.

@reidmit
Copy link
Contributor Author

reidmit commented Feb 1, 2021

Thank you!

@elenasharma
Copy link
Contributor

The fix for this issue was released in capi-release 1.105. Thank you for raising this issue!

@cf-gitbot cf-gitbot removed the accepted label Feb 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Gerg @cf-gitbot @reidmit @elenasharma @jgallucci32