Bug 1121028 - No teams available to add to domain
Summary: No teams available to add to domain
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Node
Version: 2.1.0
Hardware: x86_64
OS: Linux
Target Milestone: ---
: ---
Assignee: Luke Meyer
QA Contact: libra bugs
Depends On:
TreeView+ depends on / blocked
Reported: 2014-07-18 08:26 UTC by John McTeague
Modified: 2014-07-22 16:19 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-07-22 16:03:29 UTC

Attachments (Terms of Use)

Description John McTeague 2014-07-18 08:26:01 UTC
I have followed the following steps:

oo-admin-ctl-team -c create --groups DevGrp --config-file ~/teams.yml

This creates the team DevGrp with no members.

I then create a team member file:


and run 

oo-admin-ctl-team -c sync-from-file --in-file teams.txt

I then verify my teams:

oo-admin-ctl-team -c list
Name:"DevGrp"  Maps to:CN=DevGrp,OU=Groups,DC=example,DC=com  Members:2

Finally I verify my user:

[root@broker ~]# oo-admin-ctl-user -l john

User john:
                consumed domains: 2
                     max domains: 10
                  consumed gears: 10
                       max gears: 100
    max tracked storage per gear: 0
  max untracked storage per gear: 0
                       max teams: 10
viewing all global teams allowed: true
                      gear sizes: small
            sub accounts allowed: false
private SSL certificates allowed: false
              inherit gear sizes: false
                      HA allowed: false

I can have 10 teams and viewing all global teams is allowed.

When I go to my domain I can click to Add a team...

No teams are listed or can be searched for, I am told "You do not have any teams".

Looking at the http trace I can see it makes a call to https://broker/console/teams.json?owner=@self

which returns an empty json array.

If I run

It returns a list of valid teams that I would be able to pick from.

Why is @self not working as intended and is there a workaround or fix to this?

Comment 2 Jordan Liggitt 2014-07-18 13:52:09 UTC
Teams created by oo-admin-ctl-team are global teams (not owned by a particular user), so they would never be included in an owner=@self query (owner=john is actually an invalid value for the owner parameter, so that behaves the same as if no owner parameter was specified.

A separate http call should be made from the console to search global teams as you type a team's name, something like http://broker/console/teams.json?search=foo&global=true. If you are not seeing that, it means the console does not think that user has the ability to search global teams. Has the user logged out and back in since they were granted the view_global_teams capability?

Comment 3 John McTeague 2014-07-22 16:03:29 UTC
Yes, all services have been restarted and the user logged out since the user was granted the capability.

The issue appears to be case-sensitivity. My instances authenticates against Active Directory and will authenticate many combinations. I executed the oo-admin--ctl-user for "john" but the login to the console was as "John". These are treated as different users who have different permissions.

I will close this issue but are there any plans to resolve the case issue. In our real environment users login with their internal SID, a combination of numbers and letters which are always case insensitive on every other system we run.

Comment 4 Brenton Leanhardt 2014-07-22 16:19:00 UTC
There is actually work underway to allow for login normalization: https://github.com/openshift/origin-server/pull/5631/files

Note You need to log in before you can comment on or make changes to this bug.