System Service Account is not working #1047
Comments
|
@andriisoldatenko can you peek at this? |
|
@burandobata Is this still a problem for you? Version 0.23 is not supported anymore, but if the problem still exists we'd like to fix it. @bote795 can you peek at this? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It looks like permissions of system service account are being degraded after it will create a workspace or deployment.Here is the whole process that is 100% reproducible:1. create a service account:mutation CreateSystemServiceAccount { createSystemServiceAccount(label: "system_service", role: SYSTEM_ADMIN, category: "admin") { apiKey, id, label, active, category, createdAt, updatedAt, entityType, entityUuid, roleBinding{ id, role, user{ id, username, status }, workspace{ id, label }, createdAt, deployment{ id, label }, serviceAccount{ id, label, entityType } }, workspaceUuid, deploymentUuid } }You will receive output like:{ "data": { "createSystemServiceAccount": { "apiKey": "2bed8b720769a856d19487e254692ba4", "id": "ckn09stlt26041rkjuzg9rz3n", "label": "system_service", "active": true, "category": "admin", "createdAt": "2021-04-02T12:15:36.929Z", "updatedAt": "2021-04-02T12:15:36.930Z", "entityType": "DEPLOYMENT", "entityUuid": null, "roleBinding": { "id": "ckn09stlt26051rkjqqu79vov", "role": "SYSTEM_ADMIN", "user": null, "workspace": null, "createdAt": "2021-04-02T12:15:36.930Z", "deployment": null, "serviceAccount": { "id": "ckn09stlt26041rkjuzg9rz3n", "label": "system_service", "entityType": "DEPLOYMENT" } }, "workspaceUuid": null, "deploymentUuid": null } }query get_system_account{ serviceAccounts(serviceAccountUuid:"ckn09stlt26041rkjuzg9rz3n", entityType:DEPLOYMENT){ id, label, roleBinding{ id, role } } }which outputs with:
{ "errors": [ { "message": "Cannot read property 'roleBindings' of undefined", "locations": [ { "line": 114, "column": 3 } ], "path": [ "serviceAccounts" ], "extensions": { "code": "INTERNAL_SERVER_ERROR" } } ], "data": { "serviceAccounts": null } }3. But fortunately we can query with update mutation :) :mutation update_role_binding { updateServiceAccount(serviceAccountUuid:"ckmumddi889361qk1il2k0ij7", payload: { roleBinding: { role:SYSTEM_ADMIN } } ){ id, label, roleBinding{ id, role }, active } }Output looks ok, we are SYSTEM_ADMIN:{ "data": { "updateServiceAccount": { "id": "ckn09stlt26041rkjuzg9rz3n", "label": "system_service", "roleBinding": { "id": "ckn09stlt26051rkjqqu79vov", "role": "SYSTEM_ADMIN" }, "active": true } } }4. Now lets create a workspace:mutation CreateWorkspace { createWorkspace( label:"TestingWorkspaceFromAPI", description:"Created with system service account." ){ id, label } }and we are successful with that:{ "data": { "createWorkspace": { "id": "ckn09zqms27041rkjrh9x8h01", "label": "TestingWorkspaceFromAPI" } } }5. But this is where we are bumping into problem, service account is no longer a system service account, it's role binding has switched to WORKSPACE_ADMIN:{ "data": { "updateServiceAccount": { "id": "ckn09stlt26041rkjuzg9rz3n", "label": "system_service", "roleBinding": { "id": "ckn09zqms27051rkjea6s53of", "role": "WORKSPACE_ADMIN" }, "active": true } } }This makes usability of system service account very limited. Plus there is a problem with service listing in CLI as well - same issue with undefined roleBindings.Is this something known and planned to be fixed?I've didn't noticed that I was running not the latest version :/ In v0.23.12 system service account seems to work fine. However there is still a problem with
query get_system_account{ serviceAccounts(serviceAccountUuid:"ckn09stlt26041rkjuzg9rz3n", entityType:DEPLOYMENT){ id, label, roleBinding{ id, role } } }It still complains about rolebindings being undefined.The text was updated successfully, but these errors were encountered: