Bug 1262696
Summary: | oc login should not give misleading message "oc new-project <projectname>" to authenticated user after it logins when access to request project disabled | ||
---|---|---|---|
Product: | OKD | Reporter: | Xingxing Xia <xxia> |
Component: | oc | Assignee: | Juan Vallejo <jvallejo> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Wei Sun <wsun> |
Severity: | low | Docs Contact: | |
Priority: | medium | ||
Version: | 3.x | CC: | ffranz, jvallejo, mmccomas, xiaocwan |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Cause: `oc login` suggested the use of `oc new-project` to users after authentication, even if the user had no access to request new projects.
Consequence: This message was misleading, as it would guide users without projectrequest rights to perform a request they were unauthorized to perform.
Fix: The message was modified for users without access to request new projects.
Result: For users without access to request new projects, the message after authentication with `oc login` is now "You do not have access to create new projects, contact your system administrator to request a project."
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2017-05-30 12:50:43 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Xingxing Xia
2015-09-14 07:00:34 UTC
Related PR: https://github.com/openshift/origin/pull/11904 Verified on devenv-fedora_5365, openshift v1.4.0-alpha.1+7412a0e-193 Now it prompts "not have access to create new projects ..." to user. $ oadm policy remove-cluster-role-from-group self-provisioner system:authenticated --config=openshift.local.config/master/admin.kubeconfig $ oadm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth --config=openshift.local.config/master/admin.kubeconfig # Now requires this step $ oc login Authentication required for https://localhost:8443 (openshift) Username: star Password: Login successful. You do not have access to create new projects, contact your system administrator to request a project. Updated PR: https://github.com/openshift/origin/pull/12008 When origin and OCP 3.4 merge the fix. Will it back port to OCP 3.3? No backport to OCP 3.3 planned. Issue in comment2 does not reproduced on OCP v3.4.0.37 But it seems this fix https://github.com/openshift/origin/pull/12008 is still not merged in OCP v3.4.0.37 Is there any plan to merge the fix into OCP? I am not sure if there are plans to backport this fix. Most likely the commit will only be in v3.5 along with everything else. This is not severe enough to justify a backport. Considering Origin PR 12008 is merged in origin repo and works well in Origin env, could you please move bug to ON_QA so it will be moved to VERIFIED? Verification steps in Origin env: $ oc version oc v1.5.0-alpha.0+6b08947-378 ... Make sure auth users can create projectrequests. This is default if remove-cluster-role-from-group is not done for below cluster role and group. If done, revert by: $ oadm policy add-cluster-role-to-group self-provisioner system:authenticated:oauth 1st, remove the verb 'list' from 'projectrequests' $ oc edit clusterrole basic-user --config /openshift.local.config/master/admin.kubeconfig clusterrole "basic-user" edited 2nd, oc login $ oc login https://master:8443 Authentication required for https://master:8443 (openshift) Username: xxia Password: Login successful. You do not have access to create new projects, contact your system administrator to request a project. 3rd, try new-project $ oc new-project xxia-proj Error from server: User "xxia" cannot list all projectrequests in the cluster Verified on oc/openshift v1.5.0-alpha.0+48b0a74-434 1) By edit role: # oc edit clusterrole basic-user --config /openshift.local.config/master/admin.kubeconfig clusterrole "basic-user" edited # oc login Login successful. You do not have access to create new projects, contact your system administrator to request a project. 2) By remove groups # oadm policy remove-cluster-role-from-group self-provisioner system:authenticated # oadm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth # oc login Login successful. You do not have access to create new projects, contact your system administrator to request a project. |