Inconsistent v2/v3 behavior around creating new orgs + assigning roles

Question

Inconsistent v2/v3 behavior around creating new orgs + assigning roles

reidmit opened this issue 4 years ago · comments

Reid Mitchell commented 4 years ago

Issue

Inconsistent behavior around creating new orgs + assigning roles between v2 and v3.

Steps to Reproduce

We reproduced this on CAPI 3.88.0.

Using the v7 CLI (fails) and the v6 CLI (works):

v7:

Enable the user-org-creation feature flag with cf7 enable-feature-flag user_org_creation
Create a new user with cf7 create-user pluot pluot and login with cf7 login -u pluot -p pluot
Create an org as that user with cf7 create-org pluot -v
Notice that command fails. The POST /v3/organizations succeeds in creating the org, but the POST /v3/roles to add the current user as a manager in that org fails with a 403.

v6:

Enable the user-org-creation feature flag with cf6 enable-feature-flag user_org_creation
Create a new user with cf6 create-user pluot pluot and login with cf6 login -u pluot -p pluot
Create an org as that user with cf6 create-org pluot -v
Notice that command succeeds. The POST /v2/organizations succeeds in creating the org, and the PUT /v2/organizations/:guid/managers to add the current user as a manager in that org succeeds.

Expected result

Behavior should be consistent.

Current result

Inconsistent!

Possible Fix

Unsure, but maybe the v2 create-org endpoint adds the authenticated user as an "org user" automatically, but v3 doesn't. So when the same user tries to add a role in that org, in v3 they don't have permission?

cc @belinda-liu

cf-gitbot · Answer 1 · Wed Sep 30 2020 00:44:23 GMT+0800 (China Standard Time)

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/175042021

The labels on this github issue will be updated when the story is started.

jgallucci32 · Answer 2 · Wed Sep 30 2020 03:04:18 GMT+0800 (China Standard Time)

I was able to reproduce this by upgrading to the v7 client as well. If someone has any ideas where to look or what files need modified I have a test cluster up and running to validate if needed.

Reid Mitchell · Answer 3 · Wed Sep 30 2020 03:56:58 GMT+0800 (China Standard Time)

It seems like this is the relevant code in v2: https://github.com/cloudfoundry/cloud_controller_ng/blob/master/app/controllers/runtime/organizations_controller.rb#L357-L364

From that, it appears that v2 does indeed add the authenticated user as both an "org user" and an "org manager" in the newly created org after it's created.

I'm not sure if v3's change in behavior was intentional, though. I know (from working on it!) that v3 users & roles are super tricky. There were a few decisions made that tried to correct weirdnesses in v2, but I can't remember if this was one.

cc @Gerg 👀

Greg Cobb · Answer 4 · Tue Feb 02 2021 06:53:40 GMT+0800 (China Standard Time)

This issue was addressed by e8c96c3 and ef4a74f.

Reid Mitchell · Answer 5 · Tue Feb 02 2021 06:54:47 GMT+0800 (China Standard Time)

Thank you!

Elena Sharma · Answer 6 · Fri Feb 05 2021 08:56:19 GMT+0800 (China Standard Time)

The fix for this issue was released in capi-release 1.105. Thank you for raising this issue!