| Summary: | 401 Unauthorized for granting a specific role to user | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Steven Walter <stwalter> |
| Component: | Master | Assignee: | Jordan Liggitt <jliggitt> |
| Status: | CLOSED WORKSFORME | QA Contact: | Chuan Yu <chuyu> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 3.2.0 | CC: | aos-bugs, decarr, jeabraha, jokerman, mmccomas, stwalter |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-12-19 16:12:46 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
I haven't been able to reproduce the issue, but I'm pretty sure the issue is related to a sequence involving: 1. copying default roles from a version of OpenShift that did not include apiGroups in role definitions 2. upgrading OpenShift to a version that included apiGroups in role definitions 3. reconciling default roles and removing extra permissions |
Description of problem: Trying to add a clusterrole to user causes 401 unauthorized error; however using the same user to add a different clusterrole with identical yaml works fine. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: $ oc policy add-role-to-user acc_edit myuser $ oc policy add-role-to-user sdaas_edit myuser Actual results: $ oc policy add-role-to-user acc_edit myuser $ oc policy add-role-to-user sdaas_edit myuser error: You must be logged in to the server (attempt to grant extra privileges: [PolicyRule{Verbs:[get], APIGroups:[], Resources:[limitranges], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[limitranges], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[limitranges], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[namespaces], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[namespaces], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[namespaces], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[namespaces/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[namespaces/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[namespaces/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[persistentvolumes], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[persistentvolumes], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[persistentvolumes], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[bindings], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[bindings], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[bindings], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[routes/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[routes/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[routes/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[securitycontextconstraints], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[securitycontextconstraints], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[securitycontextconstraints], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[imagestreams/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[imagestreams/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[imagestreams/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[nodes], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[nodes], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[nodes], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[resourcequotas], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[resourcequotas], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[resourcequotas], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[resourcequotas/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[resourcequotas/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[resourcequotas/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[events], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[events], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[events], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[replicationcontrollers/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[replicationcontrollers/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[replicationcontrollers/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[resourcequotausages], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[resourcequotausages], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[resourcequotausages], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[minions], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[minions], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[minions], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[pods/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[pods/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[pods/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[imagestreams/layers], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[update], APIGroups:[], Resources:[imagestreams/layers], ResourceNames:[], Restrictions:<nil>}] user=&{acc-lae-admin.gen 6527a266-68fb-11e6-a01d-005056acedd5 [system:authenticated:oauth system:authenticated]} ownerrules=[PolicyRule{Verbs:[create delete deletecollection get list patch update watch], APIGroups:[], Resources:[configmaps endpoints persistentvolumeclaims pods pods/attach pods/exec pods/log pods/portforward pods/proxy replicationcontrollers replicationcontrollers/scale secrets serviceaccounts services services/proxy], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create delete deletecollection get list patch update watch], APIGroups:[], Resources:[buildconfigs buildconfigs/instantiate buildconfigs/instantiatebinary buildconfigs/webhooks buildlogs builds builds/clone builds/log deploymentconfigrollbacks deploymentconfigs deploymentconfigs/log deploymentconfigs/scale deployments generatedeploymentconfigs imagestreamimages imagestreamimports imagestreammappings imagestreams imagestreams/secrets imagestreamtags localresourceaccessreviews localsubjectaccessreviews processedtemplates projects resourceaccessreviews rolebindings roles routes subjectaccessreviews templateconfigs templates], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create delete deletecollection get list patch update watch], APIGroups:[autoscaling], Resources:[horizontalpodautoscalers], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create delete deletecollection get list patch update watch], APIGroups:[batch], Resources:[jobs], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create delete deletecollection get list patch update watch], APIGroups:[extensions], Resources:[horizontalpodautoscalers jobs replicationcontrollers/scale], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get list watch], APIGroups:[extensions], Resources:[daemonsets], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get list watch], APIGroups:[], Resources:[bindings configmaps endpoints events imagestreams/status limitranges minions namespaces namespaces/status nodes persistentvolumeclaims persistentvolumes pods pods/log pods/status policies policybindings replicationcontrollers replicationcontrollers/status resourcequotas resourcequotas/status resourcequotausages routes/status securitycontextconstraints serviceaccounts services], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get update], APIGroups:[], Resources:[imagestreams/layers], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[update], APIGroups:[], Resources:[routes/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[delete], APIGroups:[], Resources:[oauthaccesstokens oauthauthorizetokens], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[users], ResourceNames:[~], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[projectrequests], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get list], APIGroups:[], Resources:[clusterroles], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[projects], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create], APIGroups:[], Resources:[localsubjectaccessreviews subjectaccessreviews], ResourceNames:[], Restrictions:&{{ }}} PolicyRule{Verbs:[create], APIGroups:[], Resources:[projectrequests], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create delete update view], APIGroups:[], Resources:[limitranges resourcequotas], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create get], APIGroups:[], Resources:[buildconfigs/webhooks], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create], APIGroups:[], Resources:[builds/source], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[patch update], APIGroups:[], Resources:[namespaces], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create], APIGroups:[], Resources:[builds/custom], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create], APIGroups:[], Resources:[builds/docker], ResourceNames:[], Restrictions:<nil>}] ruleResolutionErrors=[]) Expected results: Either for both to succeed or both to fail. They are using "add-role-to-user" rather than "add-cluster-role-to-user", which might explain why one fails, but does not explain why the other succeeds. Additional info: Adding either works fine when the user adding them has cluster-admin privileges but not when they are, for instance, just a project admin. I am getting information on the user being used to test. Providing more details in following comments.