Bug 1651440

Summary: 'oc auth reconcile' command should not be used while adding a new custom role
Product: OpenShift Container Platform Reporter: Arnab Ghosh <arghosh>
Component: DocumentationAssignee: Lindsey Barbee-Vargas <lbarbeev>
Status: CLOSED CURRENTRELEASE QA Contact: scheng
Severity: medium Docs Contact: Vikram Goyal <vigoyal>
Priority: medium    
Version: 3.11.0CC: aos-bugs, jokerman, mmccomas, rhowe, wsun
Target Milestone: ---   
Target Release: 3.11.z   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-17 18:14:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Arnab Ghosh 2018-11-20 05:59:32 UTC 
Description of problem:

OCP 3.11 documentation says 'To add or update custom roles and permissions, it is strongly recommended to use 'oc auth reconcile' command'

To update custom roles it is absolutely logical to use 'oc auth reconcile' command since it will append new verbs to custom role instead of deleting old verbs and adding new verbs. 

I don't think the same command should be our recommendation while creating a custom role because if there is a custom role with same name as your new role present in the environment then it will just update the role. Cluster admin would not be notified that a custom role with same name already exists in the environment. Which in turn might provide extended permissions to user/SA attached to this custom role.


Version-Release number of selected component (if applicable):

- Openshift Container Platform 3.11

How reproducible:

- Always

Steps to Reproduce:

1. Create a custom role using 'oc auth reconcile' command
2. Create another custom role with same name but different definition than the first custom role.
3. You should be able to see 'oc auth reconcile' command creates a custom role if there is no custom role with same name otherwise it updates the existing role.

Actual results:

- 'oc auth reconcile' command does not notify if a custom role with same name already exists.

Expected results:

- It should notify cluster admin

Additional info:


Document URL: 

https://docs.openshift.com/container-platform/3.11/architecture/additional_concepts/authorization.html#applying-custom-roles-and-permissions

Section Number and Name: 

Describe the issue: 

Suggestions for improvement: 

- To update custom roles and permissions, it is strongly recommended to use the following command:
# oc auth reconcile -f FILE

Additional information:
Comment 9 Lindsey Barbee-Vargas 2020-04-15 20:50:10 UTC 
Made changes as described: Updated Applying Custom Roles and Permissions with clarification when adding or updating new custom roles and permissions. This can be reviewed here: https://github.com/openshift/openshift-docs/pull/21202. Moving this bug to ON_QA.
Comment 11 scheng 2020-04-16 06:14:04 UTC 
Verified.
Comment 12 Lindsey Barbee-Vargas 2020-04-16 19:00:56 UTC 
Added a link to an example yaml file for creating cluster roles per peer review feedback. Moving this bug back to ON_QA for a second look.
Comment 13 Lindsey Barbee-Vargas 2020-04-17 18:14:01 UTC 
Verified fix is published and live on docs.openshift.com:
https://docs.openshift.com/container-platform/3.11/architecture/additional_concepts/authorization.html#applying-custom-roles-and-permissions
Comment 14 Lindsey Barbee-Vargas 2020-04-20 13:40:23 UTC 
Verified fix is published and live on the Customer Portal:
https://access.redhat.com/documentation/en-us/openshift_container_platform/3.11/html/architecture/additional-concepts#roles
(4.2.4.2. Applying Custom Roles and Permissions)