Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PUT request that modifies route certificate fails #15772

Closed
spadgett opened this issue Aug 14, 2017 · 19 comments
Closed

PUT request that modifies route certificate fails #15772

spadgett opened this issue Aug 14, 2017 · 19 comments
Assignees
@smarterclayton
Labels
component/networking kind/bug Categorizes issue or PR as related to a bug. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. priority/P2

Comments

@spadgett
Copy link
Member

This looks like an API breaking change in 3.6. If I do a PUT on a route and change the spec.tls.certificate, I'm told the field is immutable. But oc edit allows me to change the value.

The error breaks the web console route editor in 3.6.

@knobunc Let me know if I'm wrong and the field should be immutable, but I believe we were able to change it in previous releases.

@smarterclayton @andrewklau

See openshift/origin-web-console#1930

Version

3.6.0

Steps To Reproduce
  1. Edit a route in the web console (or edit the route YAML in the web console).
  2. Only change the route certificate.

You'll see an error saying the field is immutable. If you inspect the web console PUT request in developer tools, the only value changed in the request body is spec.tls.certificate.
@spadgett spadgett added kind/bug Categorizes issue or PR as related to a bug. priority/P1 labels Aug 14, 2017
@spadgett spadgett mentioned this issue Aug 14, 2017
Closed
@smarterclayton
Copy link
Contributor

smarterclayton commented Aug 14, 2017 via email

@smarterclayton
Copy link
Contributor

smarterclayton commented Aug 14, 2017 via email

@spadgett
Copy link
Member Author

Old endpoint

I can reproduce using the same object returned by the API, just changing the certificate value. No empty fields added

@smarterclayton
Copy link
Contributor

smarterclayton commented Aug 14, 2017 via email

@smarterclayton
Copy link
Contributor

smarterclayton commented Aug 14, 2017 via email

@spadgett spadgett assigned spadgett and unassigned knobunc Aug 14, 2017
@spadgett
Copy link
Member Author

@smarterclayton Thanks. I'm getting a 422 with the following response body.

Debating making the field read only in the web console, although it would mean users who can edit the certificate won't be able to through the console.

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "Route \"node-edge\" is invalid: spec.tls.certificate: Invalid value: \"foo\": field is immutable",
  "reason": "Invalid",
  "details": {
    "name": "node-edge",
    "kind": "Route",
    "causes": [
      {
        "reason": "FieldValueInvalid",
        "message": "Invalid value: \"foo\": field is immutable",
        "field": "spec.tls.certificate"
      }
    ]
  },
  "code": 422
}

@smarterclayton
Copy link
Contributor

smarterclayton commented Aug 14, 2017 via email

@andrewklau
Copy link
Contributor

Confirmed, adding the update verb to the routes/custom-host allows a user to edit it again on the web console. I couldn't find any reference release note for this change though.

@spadgett spadgett mentioned this issue Aug 15, 2017
Merged
@spadgett spadgett assigned smarterclayton and unassigned spadgett Aug 15, 2017
@spadgett
Copy link
Member Author

@smarterclayton bump for updating the error message to say why it's immutable and possibly changing the default for update (per our conversation)

@smarterclayton
Copy link
Contributor

I don't remember why I didn't give "update" to users by default - I think it was because of the custom host being immutable which was our current behavior. @abhgupta @Miciah see the thread above.

I'll definitely improve the message for update.

@ValentinFunk
Copy link

@smarterclayton is there a way to get the update permission somehow in the dev preview? I've tried using a local role but there seems to be a rolebindingrestriction that prevents actually using the role

@macmacs macmacs mentioned this issue Sep 16, 2017
Open
@rajatchopra rajatchopra mentioned this issue Jan 18, 2018
Closed
@rajatchopra
Copy link
Contributor

pull #18177 to allow admin to update routes/custom-host by default.
Also see discussion in https://bugzilla.redhat.com/show_bug.cgi?id=1524707

@liggitt
Copy link
Contributor

liggitt commented Jan 19, 2018

For normal users, certificates are now immutable.

how is that reasonable? certificates expire.

pull #18177 to allow admin to update routes/custom-host by default.

gating updating the certificate on an update host permission doesn't make sense to me

@rajatchopra
Copy link
Contributor

@liggitt
Would you prefer something like this: #18195
This removes TLS update out of routes/custom-host resource and keeps it in 'routes' resource only.

@liggitt
Copy link
Contributor

liggitt commented Jan 20, 2018
edited
Loading

Would you prefer something like this: #18195

the check in that PR is a duplicate of the check the apiserver already does. it's still unclear to me why we are preventing updates of the certificate.

secondly, even if we did restrict that, it should not be coupled to the same permission that allows updating the host field. updating the host is very privileged. I wouldn't expect updating a certificate to be that privileged.

@rajatchopra
Copy link
Contributor

@liggitt
Fixed the duplicate in the PR.
TLS is not coupled to routes/custom-host now (through #18195).

I agree that TLS update should not need that much privilege, but we can discuss that as follow up. The current behaviour is that not even the project admin can modify the fields, and that needs to be fixed immediately.

@openshift-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci-robot openshift-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 22, 2018
@openshift-bot
Copy link
Contributor

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

@openshift-ci-robot openshift-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels May 23, 2018
@openshift-bot
Copy link
Contributor

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@smarterclayton smarterclayton

Labels
component/networking kind/bug Categorizes issue or PR as related to a bug. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. priority/P2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@ValentinFunk @liggitt @rajatchopra @smarterclayton @spadgett @jwforres @openshift-bot @andrewklau @knobunc @openshift-ci-robot