Cause: Previously, deleting a service account would ignore the SAs namespace. This means that the delete action from the web UI could delete multiple service account rolebindings under the service account tab if service accounts from different namespaces had the same name.
Consequence: Additional rolebindings could be deleted, requiring the user to recreate them.
Fix: The delete action on the SA tab will now respect the namespace and only delete the specified SA rolebinding from the correct namespace.
Result: The bug is fixed.
Created attachment 1345694[details]
operations provided from customer, please do not share outside Red hat
Description of problem:
- This is a issue when delete a serviceaccount rolebinding from a project via webUI. An project contains two role binding with same SA name but different namespace such as: pro1/test . pro2/test and binding to same role (etc. view), if i delete one of the two, another one will also be deleted. However delete via oc command is normal.
Version-Release number of selected component (if applicable):
- report the issue in 3.5 from customer and can be repo in 3.6 too.
How reproducible:
- refer to below steps
Steps to Reproduce:
1. Login Web UI and Create two projects (etc: pro1 . pro2)
2. Located to "project--resourse--membership--service account"
3. Add two rolebindings to this project (etc: pro1/default->view . pro2/default->view) and click"done editing"
4. Re-edit the setting and delete one of above two and find another one has also been deleted
Actual results:
- delete one any and find another one has also been deleted (etc delete pro1/default then pro2/default will be disappeared too)
Expected results:
- delete one service account role binding should not affect the others
Additional info:
- this issue can be repo no mater what the serviceaccount/role is.
- delete rolebinding via oc command doesn't have this issue:
$oadm policy remove-role-from-user <role> system:serviceaccount:<project>:<serviceaccount>
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2017:3188
Created attachment 1345694 [details] operations provided from customer, please do not share outside Red hat Description of problem: - This is a issue when delete a serviceaccount rolebinding from a project via webUI. An project contains two role binding with same SA name but different namespace such as: pro1/test . pro2/test and binding to same role (etc. view), if i delete one of the two, another one will also be deleted. However delete via oc command is normal. Version-Release number of selected component (if applicable): - report the issue in 3.5 from customer and can be repo in 3.6 too. How reproducible: - refer to below steps Steps to Reproduce: 1. Login Web UI and Create two projects (etc: pro1 . pro2) 2. Located to "project--resourse--membership--service account" 3. Add two rolebindings to this project (etc: pro1/default->view . pro2/default->view) and click"done editing" 4. Re-edit the setting and delete one of above two and find another one has also been deleted Actual results: - delete one any and find another one has also been deleted (etc delete pro1/default then pro2/default will be disappeared too) Expected results: - delete one service account role binding should not affect the others Additional info: - this issue can be repo no mater what the serviceaccount/role is. - delete rolebinding via oc command doesn't have this issue: $oadm policy remove-role-from-user <role> system:serviceaccount:<project>:<serviceaccount>