Hide Forgot
Description of problem: Try to delete the owner of the domain with rest api. 1. Using "PATCH" and "POST" will get the same result: curl -k -H "Accept: application/xml" --user qiuzhang:redhat https://int.openshift.redhat.com/broker/rest/domain/qiuzhang/members -d role=none -d id=5260b12503ef64cdce0000a9 -X PATCH <?xml version="1.0" encoding="UTF-8"?> <response> <status>ok</status> <type>members</type> <data> <member> <type>user</type> <login>qiuzhang</login> <id>5260b12503ef64cdce0000a9</id> <role>admin</role> <explicit-role nil="true"></explicit-role> <from> <from> <type>owner</type> <role>admin</role> </from> </from> <owner>true</owner> </member> </data> <messages> <message> <severity>info</severity> <text>Removed 1 member.</text> <exit-code>0</exit-code> <field nil="true"></field> <index nil="true"></index> </message> </messages> <version>1.6</version> <api-version>1.6</api-version> <supported-api-versions> <supported-api-version>1.0</supported-api-version> <supported-api-version>1.1</supported-api-version> <supported-api-version>1.2</supported-api-version> <supported-api-version>1.3</supported-api-version> <supported-api-version>1.4</supported-api-version> <supported-api-version>1.5</supported-api-version> <supported-api-version>1.6</supported-api-version> </supported-api-versions> </response> 2. If using "DELETE" method, curl -k -H "Accept: application/xml" --user qiuzhang:redhat https://int.openshift.redhat.com/broker/rest/domain/qiuzhang/member/5260b12503ef64cdce0000a9 -X DELETE <?xml version="1.0" encoding="UTF-8"?> <response> <status>ok</status> <type>member</type> <data> <member> <type>user</type> <login>qiuzhang</login> <id>5260b12503ef64cdce0000a9</id> <role>admin</role> <explicit-role nil="true"></explicit-role> <from> <from> <type>owner</type> <role>admin</role> </from> </from> <owner>true</owner> </member> </data> <messages> <message> <severity>info</severity> <text>The member qiuzhang is no longer directly granted a role.</text> <exit-code>132</exit-code> <field nil="true"></field> <index nil="true"></index> </message> </messages> <version>1.6</version> <api-version>1.6</api-version> <supported-api-versions> <supported-api-version>1.0</supported-api-version> <supported-api-version>1.1</supported-api-version> <supported-api-version>1.2</supported-api-version> <supported-api-version>1.3</supported-api-version> <supported-api-version>1.4</supported-api-version> <supported-api-version>1.5</supported-api-version> <supported-api-version>1.6</supported-api-version> </supported-api-versions> </response> Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: 1. For the PATCH method, the exit code is 0 and the return message is "Removed 1 member". Actually, the owner can NOT be deleted. The command could not be return as successfully. 2. For DELETE method, the return message "The member qiuzhang is no longer directly granted a role" is confusing. As a result of the rest api improper result, the rhc client will always return "done". Expected results: The rest api returns result according to the actual result correctly. Additional info:
It happens on INT (devenv_3942).
Membership can occur directly or indirectly. Currently, the only way membership can be granted indirectly is that the domain owner always has admin access. In the future, giving a group access to a domain would give all the members of the group indirect access to the domain. The message returned from DELETE is correct.
Is removing the owner of a domain allowed?
DELETE will return a 200 on any user id if the end result is that the user does not have an explicit membership on the domain (either because they didn't have one, or because we successfully removed it). Removing the explicit membership for the domain owner (if there is one) is allowed. The owner will still have access by virtue of them being the owner. This mirrors the eventual behavior we will have around groups.