Bug 1262696
| Summary: | oc login should not give misleading message "oc new-project <projectname>" to authenticated user after it logins when access to request project disabled | ||
|---|---|---|---|
| Product: | OKD | Reporter: | Xingxing Xia <xxia> |
| Component: | oc | Assignee: | Juan Vallejo <jvallejo> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Wei Sun <wsun> |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | 3.x | CC: | ffranz, jvallejo, mmccomas, xiaocwan |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Cause: `oc login` suggested the use of `oc new-project` to users after authentication, even if the user had no access to request new projects.
Consequence: This message was misleading, as it would guide users without projectrequest rights to perform a request they were unauthorized to perform.
Fix: The message was modified for users without access to request new projects.
Result: For users without access to request new projects, the message after authentication with `oc login` is now "You do not have access to create new projects, contact your system administrator to request a project."
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-05-30 12:50:43 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Related PR: https://github.com/openshift/origin/pull/11904 Verified on devenv-fedora_5365, openshift v1.4.0-alpha.1+7412a0e-193 Now it prompts "not have access to create new projects ..." to user. $ oadm policy remove-cluster-role-from-group self-provisioner system:authenticated --config=openshift.local.config/master/admin.kubeconfig $ oadm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth --config=openshift.local.config/master/admin.kubeconfig # Now requires this step $ oc login Authentication required for https://localhost:8443 (openshift) Username: star Password: Login successful. You do not have access to create new projects, contact your system administrator to request a project. Updated PR: https://github.com/openshift/origin/pull/12008 When origin and OCP 3.4 merge the fix. Will it back port to OCP 3.3? No backport to OCP 3.3 planned. Issue in comment2 does not reproduced on OCP v3.4.0.37 But it seems this fix https://github.com/openshift/origin/pull/12008 is still not merged in OCP v3.4.0.37 Is there any plan to merge the fix into OCP? I am not sure if there are plans to backport this fix. Most likely the commit will only be in v3.5 along with everything else. This is not severe enough to justify a backport. Considering Origin PR 12008 is merged in origin repo and works well in Origin env, could you please move bug to ON_QA so it will be moved to VERIFIED? Verification steps in Origin env: $ oc version oc v1.5.0-alpha.0+6b08947-378 ... Make sure auth users can create projectrequests. This is default if remove-cluster-role-from-group is not done for below cluster role and group. If done, revert by: $ oadm policy add-cluster-role-to-group self-provisioner system:authenticated:oauth 1st, remove the verb 'list' from 'projectrequests' $ oc edit clusterrole basic-user --config /openshift.local.config/master/admin.kubeconfig clusterrole "basic-user" edited 2nd, oc login $ oc login https://master:8443 Authentication required for https://master:8443 (openshift) Username: xxia Password: Login successful. You do not have access to create new projects, contact your system administrator to request a project. 3rd, try new-project $ oc new-project xxia-proj Error from server: User "xxia" cannot list all projectrequests in the cluster Verified on oc/openshift v1.5.0-alpha.0+48b0a74-434 1) By edit role: # oc edit clusterrole basic-user --config /openshift.local.config/master/admin.kubeconfig clusterrole "basic-user" edited # oc login Login successful. You do not have access to create new projects, contact your system administrator to request a project. 2) By remove groups # oadm policy remove-cluster-role-from-group self-provisioner system:authenticated # oadm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth # oc login Login successful. You do not have access to create new projects, contact your system administrator to request a project. |
Description of problem: oc login should not give misleading message "oc new-project <projectname>" to authenticated user after it logins when access to request project disabled Version-Release number of selected component (if applicable): openshift v1.0.5-344-gd9fb965 oc v1.0.5-344-gd9fb965 kubernetes v1.1.0-alpha.0-1605-g44c91b1 How reproducible: Always Steps to Reproduce: 1. Disable access to request project with cluster-admin # oadm policy remove-cluster-role-from-group self-provisioner system:authenticated --config=openshift.local.config/master/admin.kubeconfig 2. Log in terminal with a normal user Actual results: 2. After login ok, the following message show up: You don't have any projects. You can try to create a new project, by running $ oc new-project <projectname> Expected results: 2. Now that authenticated users' access to request project is totally disabled, oc login should not give misleading message "oc new-project <projectname>". Instead, CLI should prompt sth like: Contact your system administrator to request a project.