Bug 2067064

Summary: RoleBinding in Developer Console is dropping all subjects when editing
Product: OpenShift Container Platform Reporter: Simon Reber <sreber>
Component: Dev ConsoleAssignee: Debsmita Santra <dsantra>
Status: CLOSED ERRATA QA Contact: spathak <spathak>
Severity: high Docs Contact:
Priority: high    
Version: 4.8CC: cjerolim, dsantra, nmukherj
Target Milestone: ---   
Target Release: 4.11.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-10 10:55:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
View of RoleBinding when starting (same view as shown in the initial state via oc command)
none
Showing the change being done on the RoleBinding in the Developer Console
none
Showing the change effectively done and showing the broken RoleBinding as most subjects have gone missing none

Description Simon Reber 2022-03-23 07:33:44 UTC 
Created attachment 1867696 [details]
View of RoleBinding when starting (same view as shown in the initial state via oc command)

Description of problem:

Having a `RoleBinding` within a project like the one below.

> $ oc get rolebinding admin -o json
> {
>     "apiVersion": "rbac.authorization.k8s.io/v1",
>     "kind": "RoleBinding",
>     "metadata": {
>         "creationTimestamp": "2022-03-14T07:44:51Z",
>         "name": "admin",
>         "namespace": "project-200",
>         "resourceVersion": "42748833",
>         "uid": "1bf265f5-3499-40b3-93f0-1e2794874633"
>     },
>     "roleRef": {
>         "apiGroup": "rbac.authorization.k8s.io",
>         "kind": "ClusterRole",
>         "name": "admin"
>     },
>     "subjects": [
>         {
>             "apiGroup": "rbac.authorization.k8s.io",
>             "kind": "User",
>             "name": "system:admin"
>         },
>         {
>             "apiGroup": "rbac.authorization.k8s.io",
>             "kind": "User",
>             "name": "user1"
>         },
>         {
>             "apiGroup": "rbac.authorization.k8s.io",
>             "kind": "User",
>             "name": "user2"
>         },
>         {
>             "apiGroup": "rbac.authorization.k8s.io",
>             "kind": "User",
>             "name": "user3"
>         }
>     ]
> }

When editing this in https://<openshift-console-url>/project-details/ns/project-200/access and replacing `user3` with `user4` it drops all `subjects` except the one that has been edited (meaning `user4` will remain available and the rest is removed).

So after modification is done, the `RoleBinding` looks as following:

> $ oc get rolebinding admin -o json
> {
>     "apiVersion": "rbac.authorization.k8s.io/v1",
>     "kind": "RoleBinding",
>     "metadata": {
>         "creationTimestamp": "2022-03-14T07:44:51Z",
>         "name": "admin",
>         "namespace": "project-200",
>         "resourceVersion": "42751278",
>         "uid": "1bf265f5-3499-40b3-93f0-1e2794874633"
>     },
>     "roleRef": {
>         "apiGroup": "rbac.authorization.k8s.io",
>         "kind": "ClusterRole",
>         "name": "admin"
>     },
>     "subjects": [
>         {
>             "apiGroup": "rbac.authorization.k8s.io",
>             "kind": "User",
>             "name": "user4"
>         }
>     ]
> }

Attached are the ScreenShot taken from the Console, showing the changes done that lead to the above outcome.

Version-Release number of selected component (if applicable):

 - OpenShift Container Platform 4.9.23

How reproducible:

 - Always

Steps to Reproduce:
1. Create a `RoleBinding` with multiple `subjects`
2. Edit the `RoleBinding` in the Developer Console
3. Validate the `RoleBinding` that shows all `subjects` dropped expected the one modified

Actual results:

All `subjects` in the `RoleBinding` are dropped expected for the one that was modified

Expected results:

All `subjects` to remain in place and only the `subject` modified to be changed 

Additional info:
Comment 1 Simon Reber 2022-03-23 07:34:25 UTC 
Created attachment 1867697 [details]
Showing the change being done on the RoleBinding in the Developer Console
Comment 2 Simon Reber 2022-03-23 07:35:16 UTC 
Created attachment 1867698 [details]
Showing the change effectively done and showing the broken RoleBinding as most subjects have gone missing
Comment 4 Debsmita Santra 2022-03-30 06:29:30 UTC 
@sreber I am looking into this
Comment 7 Debsmita Santra 2022-04-22 06:58:39 UTC 
@sreber I am working on it
Comment 10 Christoph Jerolimov 2022-05-23 08:57:56 UTC 
Verified on 4.11.0-0.nightly-2022-05-20-213928
Comment 13 errata-xmlrpc 2022-08-10 10:55:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069