Symptoms
If you are using IBM Cloud Private 3.1.2, and upgrade to Event Streams 2019.2.1, or install 2019.2.1 on an IBM Cloud Private 3.1.2 instance that already has or had a previous Event Streams installation, then the option to add schemas and schema versions are not available after a successful upgrade or installation.
The Add schema and Add schema version buttons are not available in the UI, and you cannot add schemas or schema versions by using the Event Streams CLI. For example, when running the cloudctl es schema-add command when logged in as a user with the correct permissions (Administrator or Operator roles), the following error is displayed:
cloudctl es schema-add /Users/jsmith/qp/schemas/ABC_schema_1.0.0.avsc
FAILED
Event Streams API request failed:
Error response from server. Status code: 403. Forbidden
Unable to add version 1.0.0 of schema ABC_schema to the registry.
Causes
IBM Cloud Private 3.1.2 authentication does not automatically pick up the new schema registry IAM roles if roles have been set up as part of a previous Event Streams installation on the same IBM Cloud Private instance. This happens even when using a different namespace.
Resolving the problem
To update the user permissions, roll the auth-pdp pods to pick up the new roles as follows:
- Log in to your cluster as an administrator by using the IBM Cloud Private CLI:
cloudctl login -a https://<Cluster Master Host>:<Cluster Master API Port>
The master host and port for your cluster are set during the installation of IBM Cloud Private. - List the names of the
auth-pdppods:
kubectl get pods -n kube-system | grep auth-pdp - Delete the
auth-pdppods by running the following command for eachauth-pdppod:
kubectl delete pods -n kube-system <auth-pdp-pod-name> - Wait for the new
auth-pdppods to be installed automatically. - Refresh the Event Streams UI. The Add schema and Add schema version buttons are now available in the UI. The command line options also work (for example,
cloudctl es schema-add).