Bug 1802580

Summary: project.spec.projectRequestMessage not displayed
Product: OpenShift Container Platform Reporter: Olimp Bockowski <obockows>
Component: ocAssignee: Sally <somalley>
Status: CLOSED WONTFIX QA Contact: zhou ying <yinzhou>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.3.zCC: aos-bugs, jokerman, knarra, maszulik, mfojtik, slaznick
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-20 20:20:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Olimp Bockowski 2020-02-13 12:56:37 UTC 
Description of problem:

According to doc: "When a developer or a service account that is unable to self-provision projects makes a project creation request using the web console or CLI, the following error message is returned by default: "You may not request a new project via this API."

https://access.redhat.com/documentation/en-us/openshift_container_platform/4.3/html/applications/projects#customizing-project-request-message_configuring-project-creation

Using project.spec.projectRequestMessage we can set some message

But it is not applied properly to all components and this is inconsistent with web console (the behavior is quite the opposite)

HOW IT WORKS:
1.  for "oc" command you login and no message -> I would expect we have info, but nothing. However, when you create new-project you get a message defined in projectRequestMessage.
examples:

[ admin.csb  /home/obockows/WORK/02578143-project ] $ oc login https://api:6443
You don't have any projects. Contact your system administrator to request a project.
^^ here it should be message who one has to contact

[ admin.csb  /home/obockows/WORK/02578143-project ] $ /tmp/oc new-project something
Error from server (Forbidden): ask astutus for a new project

^^ here is everything ok

the result: we have message defined in projectRequestMessage only when we fail to create a project. That's not 100% helpful.

2. console:

when we are logged and we are in Home/Projects for Admin or Advanced/Projects for Developer view, we have:

Welcome to OpenShift
ask astutus for a new project
^^ quite the opposite to the behavior of "oc login"

however, when we make an attempt to create a new project we have what you've seen, e.g.
"An error occurred projectrequests.project.openshift.io is forbidden: User "olimpb.bockowski" cannot create resource "projectrequests" in API group "project.openshift.io" at the cluster scope"

^^ here should be the message as well
Moreover, the web console shows the defined message only if you don't have a project yet. If you already have one, you don't get the message at all. 

The odd is an inconsistency between console and CLI, if it behaves in sone way, it should be the same. I am quite convinced it should be unified and both for console and oc the same. 

Moreover in both cases it should be displayed everytime (after login and when not allowed is trying to create project)

Version-Release number of selected component (if applicable):
4.x

Additional info:
I was thinking should it be RE/RFE or bug, however, it looks like a bug because project.spec.projectRequestMessage wasn't put in two important places.
Additionally that's inconsistent with web console

For web console there is a different BZ #1802577
Comment 1 Maciej Szulik 2020-02-20 17:50:57 UTC 
This is not going to be addressed in 4.4, moving to 4.5.
Comment 2 Sally 2020-05-05 02:21:37 UTC 
I see in the console, a user without the self-provisioner clusterrole no longer has the option/button to create projects, this part of this bz is verified/fixed.

I've opened a PR to return the ProjectRequestMessage if it exists when
user w/ no self-provisioner clusterrole runs:
$ oc login 
$ oc project
$ oc new-project
Comment 3 Sally 2020-05-20 15:46:47 UTC 
This bug is actively being worked on.
Comment 7 zhou ying 2020-05-25 08:28:55 UTC 
Confirmed with oc version : [root@dhcp-140-138 roottest]# oc version 
Client Version: 4.5.0-202005231517-44354e2
Kubernetes Version: v1.18.2

`oc edit project.config.openshift.io/cluster` specify the spec. projectRequestMessage
 oc get project.config.openshift.io/cluster -oyaml
apiVersion: config.openshift.io/v1
kind: Project
metadata:
  annotations:
....
spec:
  projectRequestMessage: To request a project, contact your system administrator at projectname.

[root@dhcp-140-138 roottest]# oc login --token=`oc sa get-token default -n default` https://api.yinzhou25.qe.gcp.devcluster.openshift.com:6443
Logged into "https://api.yinzhou25.qe.gcp.devcluster.openshift.com:6443" as "system:serviceaccount:default:default" using the token provided.

To request a project, contact your system administrator at projectname.
[root@dhcp-140-138 roottest]# oc new-project ptest
Error from server (Forbidden): To request a project, contact your system administrator at projectname.
Comment 8 Standa Laznicka 2020-06-24 08:20:49 UTC 
The fix caused a regression tracked in https://bugzilla.redhat.com/show_bug.cgi?id=1849983, moving back to assigned
Comment 9 Maciej Szulik 2020-06-24 08:23:14 UTC 
Sally make sure to verify https://docs.openshift.com/container-platform/4.4/applications/projects/configuring-project-creation.html#disabling-project-self-provisioning_configuring-project-creation is working correctly. I'd suggest adding test first and only then fixing this.
Comment 11 Sally 2020-07-30 21:54:34 UTC 
Since the fix for this bug was reverted, I will be revisiting this bug this sprint.
Comment 12 Sally 2020-08-20 20:20:53 UTC 
Revisiting this bug, 
The documentation on how to remove permission for project-requests is clear:  https://docs.openshift.com/container-platform/4.4/applications/projects/configuring-project-creation.html#disabling-project-self-provisioning_configuring-project-creation 

I'm closing this as there was not a regression and the current messages are sufficient:

$ oc login -u newton -p password  (does not have permission to create projects)
Login successful.

You don't have any projects. Contact your system administrator to request a project.
$ oc project
No project has been set. Pass a project name to make that the default.

// projectRequestMessage set
$ oc new-project test
Error from server (Forbidden): You do not have permission to create projects. Contact your system administrator

// No projectRequestMessage set:
$ oc new-project test
Error from server (Forbidden): You may not request a new project via this API.