Bug 1671685

Summary: Inaccurate error message when removing a clusterrolebinding from a group for non-existent cluster role
Product: OpenShift Container Platform Reporter: Chuan Yu <chuyu>
Component: apiserver-authAssignee: Standa Laznicka <slaznick>
Status: CLOSED NOTABUG QA Contact: scheng
Severity: low Docs Contact:
Priority: low    
Version: 4.1.0CC: aos-bugs, evb, mkhan, nagrawal, slaznick
Target Milestone: ---   
Target Release: 4.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-05 06:26:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chuan Yu 2019-02-01 10:09:23 UTC 
Description of problem:
Unable remove cluster role self-provisioners from system:authenticated:oauth group

Version-Release number of selected component (if applicable):
4.0.0-0.nightly-2019-01-30-174704

How reproducible:
always

Steps to Reproduce:
1.As the cluster admin run cmd `oc adm policy remove-cluster-role-from-group self-provisioners system:authenticated:oauth`
2.
3.

Actual results:
error: unable to locate RoleBinding  for ClusterRole "self-provisioners"

Expected results:
Could remove cluster role self-provisioners from system:authenticated:oauth group

Additional info:

$ oc adm policy remove-cluster-role-from-group self-provisioners system:authenticated:oauth --loglevel=8
I0201 16:07:34.583528   23657 loader.go:359] Config loaded from file 20190131/auth/kubeconfig
I0201 16:07:34.584167   23657 round_trippers.go:383] GET https://***cluster.openshift.com:6443/apis/rbac.authorization.k8s.io/v1/clusterrolebindings
I0201 16:07:34.584178   23657 round_trippers.go:390] Request Headers:
I0201 16:07:34.584183   23657 round_trippers.go:393]     Accept: application/json, */*
I0201 16:07:34.584188   23657 round_trippers.go:393]     User-Agent: oc/v1.11.0+42ba6e91ef (linux/amd64) kubernetes/42ba6e9
I0201 16:07:35.636184   23657 round_trippers.go:408] Response Status: 200 OK in 1051 milliseconds
I0201 16:07:35.636303   23657 round_trippers.go:411] Response Headers:
I0201 16:07:35.636328   23657 round_trippers.go:414]     Date: Fri, 01 Feb 2019 08:07:35 GMT
I0201 16:07:35.636358   23657 round_trippers.go:414]     Audit-Id: 002b6a51-b395-4497-8fe7-bfc6a515302c
I0201 16:07:35.636377   23657 round_trippers.go:414]     Cache-Control: no-store
I0201 16:07:35.636395   23657 round_trippers.go:414]     Content-Type: application/json
I0201 16:07:36.401625   23657 request.go:897] Response Body: {"kind":"ClusterRoleBindingList","apiVersion":"rbac.authorization.k8s.io/v1","metadata":{"selfLink":"/apis/rbac.authorization.k8s.io/v1/clusterrolebindings","resourceVersion":"1073035"},"items":[{"metadata":{"name":"alertmanager-main","selfLink":"/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/alertmanager-main","uid":"2d6a5919-2528-11e9-a627-061ed6739886","resourceVersion":"11614","creationTimestamp":"2019-01-31T07:16:50Z"},"subjects":[{"kind":"ServiceAccount","name":"alertmanager-main","namespace":"openshift-monitoring"}],"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"alertmanager-main"}},{"metadata":{"name":"basic-users","selfLink":"/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/basic-users","uid":"68ad5525-2527-11e9-abad-061ed6739886","resourceVersion":"4944","creationTimestamp":"2019-01-31T07:11:20Z","annotations":{"rbac.authorization.kubernetes.io/autoupdate":"true"}},"subjects":[{"kind":"Group","apiGroup":"rbac.authorization.k8s.io","name":"system:authenti [truncated 89836 chars]
F0201 16:07:36.407348   23657 helpers.go:119] error: unable to locate RoleBinding  for ClusterRole "self-provisioners"
Comment 1 Standa Laznicka 2019-03-08 13:47:46 UTC 
It is the clusterrolebinding which is called self-provisioners, not the clusterrole. The clusterrole is just "self-provisioner".

However, the message is wrong, it should say:
'error: unable to locate ClusterRoleBinding  for ClusterRole "self-provisioners"' instead of just 'error: unable to locate RoleBinding  for ClusterRole "self-provisioners"'

Moving priority to low.