Bug 1425398

Summary: [Auth] Issues for option -z supported for long service account name in the oc policy command
Product: OpenShift Container Platform Reporter: Chuan Yu <chuyu>
Component: ocAssignee: Maciej Szulik <maszulik>
Status: CLOSED CURRENTRELEASE QA Contact: Xingxing Xia <xxia>
Severity: low Docs Contact:
Priority: medium    
Version: 3.5.0CC: aos-bugs, jokerman, mmccomas, pweil
Target Milestone: ---   
Target Release: 3.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Service Account names where not properly validated. Consequence: Command was failing when invoked with long SA name. Fix: Properly validate long SA names. Result: oc policy command is returning error when using long SA name.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-21 18:38:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chuan Yu 2017-02-21 10:40:10 UTC 
Description of problem:
There are issues for option -z supported for long service account name in the 'oc policy' command

Version-Release number of selected component (if applicable):
# openshift version
openshift v3.5.0.32-1+4f84c83
kubernetes v1.5.2+43a9be4
etcd 3.1.0

How reproducible:
always

Steps to Reproduce:
1.run command to the project admin permission to the service account, service account name use long name, such as 'oc policy add-role-to-user admin -z system:serviceaccount:test:default -n test'
2.run command to the project admin permission to the service account, service account name use long name, but set the namespace name different with the -n option,such as 'oc policy add-role-to-user admin -z system:serviceaccount:abc:default -n test'
3.

Actual results:
1.the service account system:serviceaccount:test:default still don't have project admin permission as the setting.
2.no error report

Expected results:
1.login by the service accout system:serviceaccount:test:default, and should have admin permission for the test project
2.error should be reported for the mix&match issue with -n and sa.

Additional info:
Comment 1 Mo 2017-02-23 04:10:13 UTC 
IMHO this is not a bug.  Per the docs:

-z, --serviceaccount=[]: service account in the current namespace to use as a user

Thus -z always refers to SAs in the current namespace.  Therefore specifying the long name is invalid as that is just a construct used to refer to arbitrary SAs from cluster scope.
Comment 2 Paul Weil 2017-02-23 13:02:36 UTC 
Agreed that -z is meant to be for the service account in the current namespace as per the doc and is not meant to accept the long form or reference a non-current namespace.
Comment 3 Chuan Yu 2017-02-24 02:59:17 UTC 
If the -z not accept the long form naming, then the command should raise error when use it.
Comment 4 Juan Vallejo 2017-10-26 21:00:56 UTC 
Origin PR: https://github.com/openshift/origin/pull/17061
Comment 5 openshift-github-bot 2017-10-30 19:21:01 UTC 
Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/d70ebd6f21d8e601ebaa6111842e76d47d248903
return error on long-form or invalid sa name

bug: 1425398
Returns an error when the long-form name of a ServiceAccount is used
with the --serviceaccount (-z) flag in `oc policy ...' commands, or
if the name given is invalid.
Comment 6 Chuan Yu 2017-11-03 08:24:32 UTC 
Verified.
# openshift version
openshift v3.7.0-0.190.0
kubernetes v1.7.6+a08f5eeb62
etcd 3.2.8