Bug 1917280

Summary: "oc annotate" fails to parse group names with LDAP name
Product: OpenShift Container Platform Reporter: Sergio G. <sgarciam>
Component: ocAssignee: Robin Cernin <rcernin>
Status: CLOSED WONTFIX QA Contact: zhou ying <yinzhou>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.6.zCC: aos-bugs, jokerman, maszulik, mfojtik, rcernin
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-08 15:19:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sergio G. 2021-01-18 09:02:53 UTC
Description of problem:
Can't change the annotations of a group if the name is an LDAP name. Only "oc annotate" fails while other commands work. See the steps to reproduce.


Version-Release number of selected component (if applicable):
4.6.9


How reproducible:
Always


Steps to Reproduce:
$ oc get group.user.openshift.io
NAME                                                                          USERS
CN=Group1,OU=Groups,OU=People,DC=example,DC=local   

$ oc get group.user.openshift.io/CN=Group1,OU=Groups,OU=People,DC=example,DC=local -o yaml
apiVersion: user.openshift.io/v1
kind: Group
metadata:
  creationTimestamp: "2021-01-18T08:43:02Z"
  name: CN=Group1,OU=Groups,OU=People,DC=example,DC=local
  resourceVersion: "86058"
  selfLink: /apis/user.openshift.io/v1/groups/CN%3DGroup1%2COU%3DGroups%2COU%3DPeople%2CDC%3Dexample%2CDC%3Dlocal
  uid: c4671196-9832-4215-933d-aae8ea63ff8a
users: null

$ oc annotate group.user.openshift.io/CN=Group1,OU=Groups,OU=People,DC=example,DC=local openshift.io/ldap.url=ldap.example.local:389 
error: one or more resources must be specified as <resource> <name> or <resource>/<name>

$ oc patch group.user.openshift.io/CN=Group1,OU=Groups,OU=People,DC=example,DC=local -p '{"metadata":{"annotations":{"openshift.io/ldap.url": "ldap.example.local:389"}}}'
group.user.openshift.io/CN=Group1,OU=Groups,OU=People,DC=example,DC=local patched

$ oc get group.user.openshift.io/CN=Group1,OU=Groups,OU=People,DC=example,DC=local -o yaml
apiVersion: user.openshift.io/v1
kind: Group
metadata:
  annotations:
    openshift.io/ldap.url: ldap.example.local:389
  creationTimestamp: "2021-01-18T08:43:02Z"
  name: CN=Group1,OU=Groups,OU=People,DC=example,DC=local
  resourceVersion: "86058"
  selfLink: /apis/user.openshift.io/v1/groups/CN%3DGroup1%2COU%3DGroups%2COU%3DPeople%2CDC%3Dexample%2CDC%3Dlocal
  uid: c4671196-9832-4215-933d-aae8ea63ff8a
users: null

$ oc adm groups new group1
group.user.openshift.io/group1 created

$ oc annotate group.user.openshift.io/group1 openshift.io/ldap.url=ldap.example.local:389 
group.user.openshift.io/group1 annotated


Actual results:
"oc patch" is unable to parse the command line properly to detect the annotation and group name.


Expected results:
"oc patch" should be able to parse the command line properly no matter the group name.

Comment 1 Sergio G. 2021-01-18 09:05:24 UTC
Correction to Actual results:
"oc annotate" is unable to parse the command line properly to detect the annotation and group name.


Correction to Expected results:
"oc annotate" should be able to parse the command line properly no matter the group name.

Comment 2 Maciej Szulik 2021-01-18 11:05:37 UTC
*** Bug 1917277 has been marked as a duplicate of this bug. ***

Comment 3 Maciej Szulik 2021-01-18 11:28:27 UTC
There's a temporary workaround to save the group in a file and then invoke:

oc get group.user.openshift.io/CN=Group1,OU=Groups,OU=People,DC=example,DC=local -o yaml>group.yaml
oc annotate -f group.yaml openshift.io/ldap.url=ldap.example.local:389

This will allow annotation to work right away. The problem at hand is that LDAP group
contains characters such as '=' (equal sign) and ',' (comma) which are used for
passing multiple resources (comma) or to pass key=value pairs for annotation (equal sign).
I'm not sure how far we can go with fixing this issue, but I hope this workaround is
a reasonable middle ground for now, at least.

Comment 4 Sergio G. 2021-01-18 11:31:54 UTC
Thanks Maciej. I offered as a workaround the "oc patch" approach but yours can work also.

I wonder how "oc patch" does the parsing as it's also a command prone to have also , (comma) and = (equal) signs but it definitively works.

Comment 5 Maciej Szulik 2021-01-18 14:16:33 UTC
(In reply to Sergio G. from comment #4)
> Thanks Maciej. I offered as a workaround the "oc patch" approach but yours
> can work also.
> 
> I wonder how "oc patch" does the parsing as it's also a command prone to
> have also , (comma) and = (equal) signs but it definitively works.

oc patch has a different schematics so it's not affected by above problems.

Comment 25 Maciej Szulik 2021-04-29 12:24:14 UTC
Robert, given this limitation, I'd suggest opening a doc update and sync with Andrea who manages our docs effort.

Comment 26 Maciej Szulik 2021-06-08 15:19:16 UTC
This will be included in the docs, since this won't be solved due to how annotate works upstream and there exists viable workaround I'm going to close this as is.