[BUG] Wrong Role Collection assignment

Question

[BUG] Wrong Role Collection assignment

AnatolManikalo opened this issue 2 years ago · comments

AnatolManikalo commented 2 years ago

Is there an existing issue for this?

I have searched the existing issues

Are you using the latest docker image for BTPSA?

I'm using the latest docker image for BTPSA.

Which area is mainly impacted

Cloud Foundry setups

Current Behavior

All users mentioned in parameters.json under "myusergroups" section are added as Subaccount Administrators during "btp create accounts/subaccount" step (logfile.txt attachment, Line 77)
Wrong users are assigned to Role Collections during "btp assign security/role-collection" step (logfile.txt attachment, Line 157) — my user (anatol.manikalo@sap.com) is added to "Cloud Connector Administrator" Role Collection despite my "test_tool.json" usecase asks to add only "placeholder" group which doesn't include me (there's only one email: "m.marek+1@sap.com")

Expected Behavior

Only users from "admins" and "owners" groups are added to Subaccount Administrators as mentioned in "test_tool.json" (lines 19-24)
Only users mentioned in "test_tool.json" usecase (lines 28-32) are assigned to "Cloud Connector Administrator" Role Collection

Steps To Reproduce

./run
docker exec -it *** sh
./btpsa

Logs and configuration files available?

Archive.zip

Anything else?

Hello colleagues,
My "parameters.json" file has information about 3 user groups: "admins", "placeholder", "owners"
My "test_tool" usecase declares to assign:

groups "admins" and "owners" to "Subaccount Administrator" Role Collection;
group "placeholder" to "Cloud Connector Administrator" Role Collection
groups "admins" and "owners" to CF OrgManager role

In fact, ALL users from "parameters.json" are added as Subaccount Administrators during "btp create accounts/subaccount" step (logfile.txt attachment, Line 77)

Also my user (anatol.manikalo@sap.com) is added to "Cloud Connector Administrator" Role Collection despite my "test_tool.json" usecase asks to add only "placeholder" group which doesn't include me (there's only one email: "m.marek+1@sap.com")

P.S. Could you please let me know how to disable default space creation? logfile.txt line 114

Rui Nogueira · Answer 1 · Sun Dec 04 2022 19:12:09 GMT+0800 (China Standard Time)

Thanks @AnatolManikalo .
Regarding your points:

"In fact, ALL users from "parameters.json" are added as Subaccount Administrators during "btp create accounts/subaccount" step (logfile.txt attachment, Line 77)": for me it looks like it is working as you have defined it, as all names are taken from the admins and owners list.
I'll fix the other issue that the user who is calling the script is assigned to all roles by default.

AnatolManikalo · Answer 2 · Mon Dec 05 2022 16:28:05 GMT+0800 (China Standard Time)

Hi @rui1610
Thanks for quick reply.

Regarding point 1: according to lines 22-24 of the usecase, only "admins" and "owners" groups should be added to Subaccount Administrator role collection, however in fact user from "placeholder" group (m.marek+1@sap.com) is added as well during "btp --format json create accounts/subaccount" step (line 77 of logfile.txt).

I checked the log attentively and noticed that "Subaccount Administrator" Role Collection assignment happens twice during the run of the script: on subaccount creation step and on Role assignment step (line 77 and lines 131-157 of logfile.txt). Should it be the case?

Christian Lechner · Answer 3 · Tue Dec 06 2022 23:25:39 GMT+0800 (China Standard Time)

The reported bug is fixed. The fix is available in the dev branch (incl. Docker image) and will be available in main with release 1.2.0

Christian Lechner · Answer 4 · Wed Dec 07 2022 17:00:17 GMT+0800 (China Standard Time)

Close issue - release 1.2.0 is available.
Docker Image is updated (docker pull ghcr.io/sap-samples/btp-setup-automator:btpsa-v1.2.0)