Bug 1023408

Summary: The return message is improper when trying to delete the owner of the domain
Product: OpenShift Online Reporter: Qiushui Zhang <qiuzhang>
Component: MasterAssignee: Jordan Liggitt <jliggitt>
Status: CLOSED WONTFIX QA Contact: libra bugs <libra-bugs>
Severity: low Docs Contact:
Priority: medium    
Version: 2.xCC: dmcphers, jliggitt, xtian
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-20 15:46:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Qiushui Zhang 2013-10-25 11:16:51 UTC 
Description of problem:
Try to delete the owner of the domain with rest api.
1. Using "PATCH" and "POST" will get the same result:
curl -k -H "Accept: application/xml" --user qiuzhang:redhat https://int.openshift.redhat.com/broker/rest/domain/qiuzhang/members -d role=none -d id=5260b12503ef64cdce0000a9 -X PATCH

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <status>ok</status>
  <type>members</type>
  <data>
    <member>
      <type>user</type>
      <login>qiuzhang</login>
      <id>5260b12503ef64cdce0000a9</id>
      <role>admin</role>
      <explicit-role nil="true"></explicit-role>
      <from>
        <from>
          <type>owner</type>
          <role>admin</role>
        </from>
      </from>
      <owner>true</owner>
    </member>
  </data>
  <messages>
    <message>
      <severity>info</severity>
      <text>Removed 1 member.</text>
      <exit-code>0</exit-code>
      <field nil="true"></field>
      <index nil="true"></index>
    </message>
  </messages>
  <version>1.6</version>
  <api-version>1.6</api-version>
  <supported-api-versions>
    <supported-api-version>1.0</supported-api-version>
    <supported-api-version>1.1</supported-api-version>
    <supported-api-version>1.2</supported-api-version>
    <supported-api-version>1.3</supported-api-version>
    <supported-api-version>1.4</supported-api-version>
    <supported-api-version>1.5</supported-api-version>
    <supported-api-version>1.6</supported-api-version>
  </supported-api-versions>
</response>


2. If using "DELETE" method,
curl -k -H "Accept: application/xml" --user qiuzhang:redhat https://int.openshift.redhat.com/broker/rest/domain/qiuzhang/member/5260b12503ef64cdce0000a9 -X DELETE

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <status>ok</status>
  <type>member</type>
  <data>
    <member>
      <type>user</type>
      <login>qiuzhang</login>
      <id>5260b12503ef64cdce0000a9</id>
      <role>admin</role>
      <explicit-role nil="true"></explicit-role>
      <from>
        <from>
          <type>owner</type>
          <role>admin</role>
        </from>
      </from>
      <owner>true</owner>
    </member>
  </data>
  <messages>
    <message>
      <severity>info</severity>
      <text>The member qiuzhang is no longer directly granted a role.</text>
      <exit-code>132</exit-code>
      <field nil="true"></field>
      <index nil="true"></index>
    </message>
  </messages>
  <version>1.6</version>
  <api-version>1.6</api-version>
  <supported-api-versions>
    <supported-api-version>1.0</supported-api-version>
    <supported-api-version>1.1</supported-api-version>
    <supported-api-version>1.2</supported-api-version>
    <supported-api-version>1.3</supported-api-version>
    <supported-api-version>1.4</supported-api-version>
    <supported-api-version>1.5</supported-api-version>
    <supported-api-version>1.6</supported-api-version>
  </supported-api-versions>
</response>


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:
1. For the PATCH method, the exit code is 0 and the return message is "Removed 1 member". Actually, the owner can NOT be deleted. The command could not be return as successfully.

2. For DELETE method, the return message "The member qiuzhang is no longer directly granted a role" is confusing.

As a result of the rest api improper result, the rhc client will always return "done".

Expected results:
The rest api returns result according to the actual result correctly.

Additional info:
Comment 1 Qiushui Zhang 2013-10-25 11:24:51 UTC 
It happens on INT (devenv_3942).
Comment 2 Jordan Liggitt 2013-10-25 12:49:57 UTC 
Membership can occur directly or indirectly. Currently, the only way membership can be granted indirectly is that the domain owner always has admin access. In the future, giving a group access to a domain would give all the members of the group indirect access to the domain.

The message returned from DELETE is correct.
Comment 3 Lili Nader 2013-10-28 05:06:09 UTC 
Is removing the owner of a domain allowed?
Comment 4 Jordan Liggitt 2013-10-28 13:14:15 UTC 
DELETE will return a 200 on any user id if the end result is that the user does not have an explicit membership on the domain (either because they didn't have one, or because we successfully removed it).

Removing the explicit membership for the domain owner (if there is one) is allowed. The owner will still have access by virtue of them being the owner. This mirrors the eventual behavior we will have around groups.