search

redhat-developer / web-terminal-operator

OpenShift Console Web Terminal
MIT License
40 stars 15 forks source link

Error Loading OpenShift command line terminal: User is not a owner of the requested workspace #162

Open jdandrea opened 3 months ago

jdandrea commented 3 months ago

Describe the bug

Can't open an OpenShift Command Line Terminal as of a fresh install a few days ago.

Expected Behavior

Should be presented with the command line terminal.

Current Behavior

Error displayed in red: "Error Loading OpenShift command line terminal: User is not a owner of the requested workspace"

Steps to Reproduce

  1. Login to a newly deployed OCP 4.15 cluster (3 control plane, 2 worker nodes) as kubeadmin, default project
  2. Install Web Terminal operator with all default settings
  3. Start a Web Terminal session, eventually see error; try again, same error
  4. Follow documented manual steps to uninstall, repeat steps above, same error

Environment

Cloud:

OpenShift Version: 4.15

What's odd is this has worked before, and I'm fairly sure it worked on 4.15. Will try again on 4.14 just to be sure.

AObuchow commented 3 months ago

@jdandrea Thank you for reporting this issue, I experienced it the other day but didn't have a chance yet to report it.

From what it seems, this bug occurs specifically when logged into a cluster as kubeadmin, and I think it only occurs on OpenShift >= 4.15. My assumption is that some changes were made to kubeadmin's ownership of the openshift-terminal namespace.

Opening web terminals as a non-root user on OpenShift should still work, however.

I will look into this further as this bug needs to be resolved.

jdandrea commented 3 months ago

That`s good news @AObuchow, thank you!

I will drop back to 4.14 as I need to be kubeadmin for this particular thing I'm doing. Meanwhile, if I can help reality-check anything on my end, please let me know. Happy to help where I can.

AObuchow commented 3 months ago

Sounds good @jdandrea thank you!!

AObuchow commented 3 months ago

@jdandrea just to confirm: you aren't experiencing this bug on OpenShift 4.14 correct?

Edit: Just verified it myself and this bug doesn't occur on OpenShift 4.14

jdandrea commented 3 months ago

Correct, it's all good on 4.14!

AObuchow commented 3 months ago

I believe I found the source of this bug:

Prior to OCP 4.15, the OpenShift console expected the devworkspace's controller.devfile.io/creator label to be set to an empty string when logged in to the cluster as kubeadmin due to https://github.com/openshift/origin/issues/24950 (related Che issue). In essence, the kubeadmin user does not have a uid, and thus DevWorkspace-Operator sets the controller.devfile.io/creator label to an empty string.

However, due to a recent change made to the OpenShift Console for 4.15, the OpenShift console is now expecting the controller.devfile.io/creator label to be set to kubeadmin username, instead of its (empty string) uid, resulting in this bug.

To fix this issue we could either:

I'm inclined to go with the later solution, as we will be releasing DWO 0.27 in the coming weeks. CC: @ibuziuk

jdandrea commented 3 months ago

Thank you so much for finding the root cause, @AObuchow. Even without knowing more about the internals, that DWO change sounds good to me too.

AObuchow commented 3 months ago

Upon further discussion with @ibuziuk, the OpenShift console should ideally revert the change that broke WTO as kubeadmin. Changing DWO's behaviour specifically for kubeadmin, to accommodate an unnecessary change to the OpenShift console is not ideal. Additionally, explicitly indicating in plain-text that kubeadmin (i.e. root) owns a specific devworkspace object is not ideal.

jdandrea commented 3 months ago

I had not considered (or known of) those points. Thank you for noting them here.

Lucifergene commented 1 month ago

Hey! Is there any update on this? We are not able to use the terminal at all for related bugs. Please keep this in highest priority. Last tested on: 4.16.0-0.nightly-2024-05-19-083311

AObuchow commented 1 month ago

Hey! Is there any update on this?

@Lucifergene Yes, I apologize for the delay in getting this resolved. We are working towards an agreed upon solution that will be implemented in the OpenShift Console (see here and here) and the DevWorkspace Operator (see here). Those 3 issues are blocking the resolution of this bug.

We are not able to use the terminal at all for related bugs.

Do you mind clarifying here? Are you in a situation where only kubeadmin can be used? Or is this affecting other users?

Please keep this in highest priority.

Will do, this is actively being worked on. My current estimate is that this will be fixed in DevWorkspace Operator 0.29 as DevWorkspace Operator 0.28 is targeted for release later this week.

Last tested on: 4.16.0-0.nightly-2024-05-19-083311

Thank you for testing!

cmays20 commented 1 month ago

Is there are workaround for this on 4.15?

AObuchow commented 1 month ago

Is there are workaround for this on 4.15?

@cmays20 No, unfortunately :( I've tried looking into workarounds but it seems code changes are required to the DevWorkspace Operator and OpenShift Console.

AObuchow commented 6 days ago

The breaking change that caused this issue has now been reverted in OpenShift 4.15: https://github.com/openshift/console/pull/13719

The 4.16 backport is in progress: https://github.com/openshift/console/pull/14027

The 4.15 backport will come after the 4.16 backport has been merged.

This issue will soon be resolved.