Bug 1313906

Summary: oc create ignores policy name
Product: OpenShift Container Platform Reporter: Evgheni Dereveanchin <ederevea>
Component: apiserver-authAssignee: David Eads <deads>
Status: CLOSED NOTABUG QA Contact: weiwei jiang <wjiang>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.1.0CC: aos-bugs, jokerman, mmccomas, pweil, wsun
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-04 14:48:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Evgheni Dereveanchin 2016-03-02 15:19:14 UTC 
Description of problem:
When creating a policy using "oc create" the name is ignored and "default" policy is created

Version-Release number of selected component (if applicable):
# oc version
oc v3.1.1.6-16-g5327e56
kubernetes v1.1.0-origin-1107-g4c8e6f4
# rpm -q atomic-openshift-master
atomic-openshift-master-3.1.1.6-3.git.16.5327e56.el7aos.x86_64

How reproducible:
always

Steps to Reproduce:
1. create new project 
 oc new-project test
2. try to create test policy

oc create -f - <<EOF
apiVersion: v1
kind: Policy
metadata:
  name: test
roles:
- name: test
  role:
    metadata:
      name: test
      namespace: test
    rules:
    - apiGroups: null
      attributeRestrictions: null
      resources:
      - pods
      verbs:
      - get
      - create
EOF

Actual results:
policy "default" created


Expected results:
policy "test" created


Additional info:
this leads to issues when several policies need to exist: this will produce an error saying:
Error from server: error when creating "STDIN": policy "default" already exists


also, oc replace seems to parse this correctly:

oc replace -f - <<EOF
apiVersion: v1
kind: Policy
metadata:
  name: test
roles:
- name: test
  role:
    metadata:
      name: test
      namespace: test
    rules:
    - apiGroups: null
      attributeRestrictions: null
      resources:
      - pods
      verbs:
      - get
      - create
EOF

Error from server: error when replacing "STDIN": policy "test" not found

note that the policy name is "test" in the error message, not "default"
Comment 1 Evgheni Dereveanchin 2016-03-02 15:22:17 UTC 
also here are the resulting policies that are created

# oc get policy 
NAME      ROLES     LAST MODIFIED
default   test      0001-01-01 00:00:00 +0000 UTC

# oc get policy default -o yaml
apiVersion: v1
kind: Policy
lastModified: null
metadata:
  creationTimestamp: 2016-03-02T15:17:53Z
  name: default
  namespace: "test"
  resourceVersion: "3791510"
  selfLink: /oapi/v1/namespaces/test/policies/default
  uid: ef5e1fad-e089-11e5-b5e6-52540091350e
roles:
- name: test
  role:
    metadata:
      creationTimestamp: null
      name: test
      namespace: test
    rules:
    - apiGroups: null
      attributeRestrictions: null
      resources:
      - pods
      verbs:
      - create
      - get
Comment 2 Jordan Liggitt 2016-03-03 15:47:14 UTC 
correct, only a single policy per namespace is currently allowed.
Comment 3 David Eads 2016-03-03 15:55:52 UTC 
Roles are intended to be the primary mode of interacting with Policies.  The Policy object is an artifact of the storage mechanism.