Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1493239

Summary: service account with same perms on 2 clusters can't create projects on one
Product: OpenShift Container Platform Reporter: Sten Turpin <sten>
Component: apiserver-authAssignee: Simo Sorce <ssorce>
Status: CLOSED NOTABUG QA Contact: Chuan Yu <chuyu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.5.1CC: aos-bugs, mkhan, sten
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-29 14:54:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
projectrequests perms none

Description Sten Turpin 2017-09-19 17:24:48 UTC 
Description of problem: Customer has 2 clusters configured the same. On both clusters, "oadm policy who-can create project" shows the service account as one of the allowed objects. On one cluster, the service account can create projects, on the other it can't. 


Version-Release number of selected component (if applicable): atomic-openshift-3.5.5.31-1.git.0.b6f55a2.el7.x86_64


How reproducible: Always, on this cluster with this SA


Steps to Reproduce:
1. Create a service account
2. Enable the service account to create projects
3. Create a project

Actual results:
"stderr": "Error from server (Forbidden): You may not request a new
project via this API.","stderr_lines": ["Error from server (Forbidden):
You may not request a new project via this API.

Expected results:
project created

Additional info:
Comment 2 Simo Sorce 2017-09-19 17:44:40 UTC 
can you provide server logs for both the working and non working commands at the time they are executed ?
Comment 3 Simo Sorce 2017-09-19 20:33:56 UTC 
Sten please report on:
oadm policy who-can create projectrequests
oadm policy who-can list projectrequests

for b oth clusters
Comment 4 Mo 2017-09-19 20:48:05 UTC 
@Sten

As you can see from the output of `who-can create project`, a very small set of users can perform such actions.  The reason is that the direct creation of projects (and namespaces) is a highly privileged and controlled action.  Thus to allow a normal user to safely interact with the API, we provide the extra indirection of a `projectrequest` (this is what `oc new-project` invokes).  This is a way of stating to the API that you want a project created on your behalf.  It allows the API to fully control how the project will be created via the cluster's project template, while giving the appearance to the user that they created the project.

With this in mind, I strongly suggest that you remove the ability to directly create projects from both service accounts, and instead give them create/list on projectrequests.  If for some reason you need to directly allow the creation of projects from these SAs (and skip the project template), use the `oc adm new-project` command.
Comment 5 Sten Turpin 2017-09-20 14:03:35 UTC 
Created attachment 1328449 [details]
projectrequests perms
Comment 6 Simo Sorce 2017-09-29 14:54:18 UTC 
It seem it was a custom configuration issue after all, closing as not a bug