Bug 1449608

Summary: Got error message when using `oc get storageclass storageclass_name`
Product: OpenShift Container Platform Reporter: Chao Yang <chaoyang>
Component: StorageAssignee: Matthew Wong <mawong>
Status: CLOSED ERRATA QA Contact: Chao Yang <chaoyang>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.6.0CC: aos-bugs, aos-storage-staff, bchilds, bingli, eparis, mawong, screeley, trankin, xtian
Target Milestone: ---Keywords: Reopened
Target Release: 3.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: default bootstrap policy allowed basic users to 'get' storage classes but not 'list' them Consequence: basic users could not 'oc get' a specific storage class to get its specification even though they could issue 'oc get storageclass' and receive a list of all storage classes' specifications Fix: modify bootstrap policy Result: basic users can 'oc get' specific storage classes
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-28 21:54:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chao Yang 2017-05-10 11:10:10 UTC 
Description of problem:
When using command `oc get storagelcass storageclass_name` will got error message like Error from server (Forbidden): User "chaoyang" cannot get storage.k8s.io.storageclasses at the cluster scope

Version-Release number of selected component (if applicable):
dev-preview-int
openshift v3.6.65
kubernetes v1.6.1+5115d708d7
How reproducible:
Always
Steps to Reproduce:
1.Using `oc get storageclass` 
$ oc get storageclass
NAME            TYPE
ebs (default)   kubernetes.io/aws-ebs   
2.Using cli command `oc get storageclass ebs` 
oc get storageclass ebs
Error from server (Forbidden): User "chaoyang" cannot get storage.k8s.io.storageclasses at the cluster scope

Actual results:
Got error message like Error from server (Forbidden): User "chaoyang" cannot get storage.k8s.io.storageclasses at the cluster scope

Expected results:
Should display the storageclass name and type info
Master Log:

Node Log (of failed PODs):

PV Dump:

PVC Dump:

StorageClass Dump (if StorageClass used by PV/PVC):

Additional info:
Comment 2 Scott Creeley 2017-05-11 17:09:52 UTC 
Yes, the original intent was to be able to let users list storageclass names without seeing details, but as stated above, that can not be accomplished with the API, so at this point, not sure it makes sense to restrict "get"
Comment 3 Matthew Wong 2017-05-11 17:27:38 UTC 
OK, I agree it makes sense to let users "get" storage classes, I will open a PR and we can discuss it further there if needed. 

I think there are some implications of this on the UI side as well, if we all agree there's no harm in letting users see storage class details, so that will have to be considered/tracked somewhere.
Comment 4 Matthew Wong 2017-05-15 23:33:49 UTC 
PR opened against origin master https://github.com/openshift/origin/pull/14209
Comment 5 Xiaoli Tian 2017-06-15 07:09:59 UTC 
OpenShift Online Preview has been decommissioned, go to https://manage.openshift.com/ for using OpenShift Online starter cluster
Comment 7 Chao Yang 2017-07-06 05:29:11 UTC 
It is passed on 
oc v3.6.135
kubernetes v1.6.1+5115d70

oc get storageclass gp2
NAME            TYPE
gp2 (default)   kubernetes.io/aws-ebs
Comment 12 errata-xmlrpc 2017-11-28 21:54:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188