Bug 1316460

Summary: Cluster admin should not return blank when get resource from non-existed project
Product: OpenShift Container Platform Reporter: XiaochuanWang <xiaocwan>
Component: apiserver-authAssignee: Jordan Liggitt <jliggitt>
Status: CLOSED CURRENTRELEASE QA Contact: weiwei jiang <wjiang>
Severity: low Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: aos-bugs, mmccomas, wsun
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-12 17:10:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description XiaochuanWang 2016-03-10 10:17:36 UTC 
Description of problem:
Cluser-admin user only get black but not-cluster-admin user can get the info about project non-existed. at least Cluser-admin user should be same with a normal user (not cluser-admin user).

Version-Release number of selected component (if applicable):
oc v1.1.3-553-g19dbf2a
kubernetes v1.2.0-alpha.7-703-gbc4550d

How reproducible:
Always

Steps to Reproduce:
1. Login to a cluster-admin user
2. Try to list resource from a non-existed project
`oc list dc -n nonexistedblabla`
3. Try to reproduce with a not cluster-admin user and this is not reproduced

Actual results:
Step2 - return blank

Expected results:
Should be same with a not cluster-admin user.
i.e. Error from server: User "xiaocwan1" cannot list deploymentconfigs in project "nonexistedblabla"

Additional info:
Comment 1 Jordan Liggitt 2016-03-10 18:59:53 UTC 
A cluster admin has permission to list items in any namespace, so the "permission denied" error will never be returned to them.
Comment 2 XiaochuanWang 2016-03-11 05:15:27 UTC 
Yes, I don't think "permission denied" error should be returned either.
Seems it should return the correct info about the non-existed project no matter what role the user is. How do you think?
Comment 3 Jordan Liggitt 2016-03-11 05:31:09 UTC 
This is working as designed. No namespace existence check is done when getting or listing objects of a given type if the user has permission across all namespaces (like a cluster admin does).

A similar change was proposed upstream in https://github.com/kubernetes/kubernetes/pull/15543 and rejected.
Comment 4 XiaochuanWang 2016-03-11 07:04:49 UTC 
Ok then, seems the case is too old, I'll update the case. Thanks