Bug 1382393
Summary: | Individual OpenShift Project Not Listing Even Though It Exists | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Steven Walter <stwalter> |
Component: | apiserver-auth | Assignee: | Jordan Liggitt <jliggitt> |
Status: | CLOSED ERRATA | QA Contact: | Chuan Yu <chuyu> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3.2.0 | CC: | aos-bugs, jokerman, mmccomas, rhowe, stwalter, tdawson, wsun |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Cause:
Project visibility calculation failed if it encountered a rolebinding that referenced a missing role.
Consequence:
Projects containing a rolebinding that referenced a missing role would not appear when listing projects via the API.
Fix:
Skip rolebindings with invalid role references when evaluating project visibility.
Result:
Projects with invalid rolebindings still appear in the projects list if another valid rolebinding exists that grants access.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2017-01-18 12:42:00 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Steven Walter
2016-10-06 14:32:21 UTC
Given that there's a discrepancy between namespaces and projects I will have them run tests using the opposite, but opening the bug as they should still be appearing in the web console This appears to be an issue with either of the following: a) project cache b) authz What user are you logged into the web console as? Also, the right verb is "get", not "view" Can you capture the following from the CLI: oadm policy who-can get namespaces oc whoami oc get projects -o yaml --loglevel=8 oc get project/mc-guests-test -o yaml --loglevel=8 caused by an invalid roleRef in a rolebinding in the project. this short-circuited resourceaccessreview evaluation used to populate the project acl cache. fixed in https://github.com/openshift/origin/pull/11425 This has been merged into ose and is in OSE v3.4.0.17 or newer. Verified. openshift v3.4.0.18+ada983f kubernetes v1.4.0+776c994 etcd 3.1.0-rc.0 1.oc new-project foo 2.oc create -f binding.yaml 3.oc get projects Actual results: the project containing the policybinding still exist. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0066 |