Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1145344

Summary: [RFE] oo-admin-clt-domain should be able to manage domain menbership
Product: OpenShift Container Platform Reporter: Eric Rich <erich>
Component: NodeAssignee: Timothy Williams <tiwillia>
Status: CLOSED ERRATA QA Contact: libra bugs <libra-bugs>
Severity: high Docs Contact:
Priority: medium    
Version: 2.2.0CC: adellape, bleanhar, cryan, jhou, jokerman, libra-onpremise-devel, mmccomas, nicholas_schuetz, tiwillia, xiama, xtian
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openshift-origin-broker-util-1.35.2.4-1 Doc Type: Enhancement
Doc Text:
Previously, administrators could not manage domain membership and could only instruct users to perform domain membership actions themselves using the OpenShift client tools. This enhancement updates the oo-admin-ctl-domain command so that administrators can now use the add_member, remove_member, update_member, and list_members subcommands to manage domain membership for users directly.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-21 19:11:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eric Rich 2014-09-22 21:14:29 UTC 
Description of problem:

Admins of the OpenShift system should be able to manage domain membership with out the need to use RHC.
Comment 1 Eric Rich 2014-09-22 21:16:43 UTC 
Currently https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-single/Administration_Guide/index.html#sect-Creating_Global_Teams_and_Synchronizing_with_LDAP_Groups does not fit this need as on offs to a group have to be implemented in LDAP or new groups need to be formed in LDAP.
Comment 8 Luke Meyer 2015-01-05 18:27:01 UTC 
Would it be satisfactory to use a global team to control the membership administratively, and add that team to the domain?
Comment 9 Eric Rich 2015-01-05 19:29:37 UTC 
Team's and Service Accounts could be one work around to this. In short a Service Account could be used to define a domain for a team, and the Key Value Pairs of 

Example 4.3. Synchronizing Global Team Membership with a Sync File
https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-single/Administration_Guide/index.html#chap-Team_and_Global_Team_Management

Could be used to then sync the team to the domain. 

Example: 
~~~
USER|ADD|user1
...
USER|ADD|user100

### MEMBER|ADD|myteam|user1,...,user100
Alternatively, create this file from any source and sync team members from the specified file with the following command:

# oo-admin-ctl-team -c sync-from-file --in-file teams.sync
~~~
Comment 14 Jianwei Hou 2015-05-14 06:39:15 UTC 
Tested on fork_ami_tiwiilliaprs_1280, works well, could manage member/roles successfully with oo-admin-ctl-domain
Comment 15 openshift-github-bot 2015-05-15 16:04:03 UTC 
Commit pushed to master at https://github.com/openshift/origin-server

https://github.com/openshift/origin-server/commit/d1894c38dd138f72382094cda1c6a1c7e1b74097
Add membership manipulation to oo-admin-ctl-domain

Bug 1145344
Bugzilla link https://bugzilla.redhat.com/show_bug.cgi?id=1145344
Adds the ability to manipulate and list membership of a domain through the oo-admin-ctl-domain tool.
Comment 18 Ma xiaoqiang 2015-05-19 06:10:09 UTC 
Check on puddle [2.2.z/2015-05-18.1]


The command should give out brief output instead of domain info  when control member.

# oo-admin-ctl-domain  -n xiaom -l xiaom -c add_member -m xiaom2
# rhc member list -n xiaom         
Login Role          Type
----- ------------- ----
xiaom admin (owner) user

The add_member action  doesn't work

# rhc member add -n xiaom -r edit xiaom1
# oo-admin-ctl-domain  -n xiaom -l xiaom -c update_member -m xiaom1 -r admin
# rhc member list -n xiaom              
Login  Role          Type
------ ------------- ----
xiaom  admin (owner) user
xiaom1 edit          user

The update_member action  doesn't work


# oo-admin-ctl-domain  -n xiaom -l xiaom -c remove_member -m xiaom1
# rhc member list -n xiaom              
Login  Role          Type
------ ------------- ----
xiaom  admin (owner) user
xiaom1 edit          user

The remove_member action  doesn't work

# oo-admin-ctl-domain  -n xiaom -l xiaom -c list_members 
<--snip-->
group_overrides: !ruby/array:%23%3CClass:0x0000000574ed20%3E []
ha: false
init_git_url: 
members:
- _id: !ruby/object:Moped::BSON::ObjectId
    raw_data: !binary |-
      VVrHMIJhHdd8AAAB
  _type: Member
  e: 
  f:
  - - domain
    - :admin
  n: xiaom
  r: :admin
  t: 
- _id: !ruby/object:Moped::BSON::ObjectId
    raw_data: !binary |-
      VVrICYJhHdd8AAAp
  _type: Member
  e: 
  f:
  - - domain
    - :edit
  n: xiaom1
  r: :edit
  t: 
meta: 
name: xiaom1
owner_id: !ruby/object:Moped::BSON::ObjectId


Two issue:
1. All the action on controlling domain member should give out  brief message instead of domain info
2. The actions of 'add_member', 'update_member', 'remove_member' don't take effect.
Comment 19 Timothy Williams 2015-05-19 14:29:26 UTC 
https://github.com/openshift/origin-server/pull/6147
Comment 20 openshift-github-bot 2015-05-19 16:14:45 UTC 
Commit pushed to master at https://github.com/openshift/origin-server

https://github.com/openshift/origin-server/commit/53fb7839f80012287f0a987cc94ee7ee30237968
oo-admin-ctl-domain uses underscores in command options

Bug 1145344
Bugzilla link https://bugzilla.redhat.com/show_bug.cgi?id=1145344
oo-admin-ctl-domain uses underscores in domain options. Fix command parsing and tests to reflect this.
Comment 21 Timothy Williams 2015-05-19 16:21:14 UTC 
Thanks for the tests. Issues should be resolved the with this pr:

  https://github.com/openshift/origin-server/pull/6147
Comment 24 Ma xiaoqiang 2015-05-22 05:37:02 UTC 
Check on puddle [2.2.6/2015-05-21.1]

1, list members
# oo-admin-ctl-domain -l xiaom -n xiaom -c list_members
Members of the "xiaom" domain:
xiaom(admin)

2. add member to the domain
oo-admin-ctl-domain -l xiaom -n xiaom -c add_member -m xiaom3 -r view 
oo-admin-ctl-domain -l xiaom -n xiaom -c add_member -m xiaom2
oo-admin-ctl-domain -l xiaom -n xiaom -c add_member -m xiaom1 -r edit

3. list members
# oo-admin-ctl-domain -l xiaom -n xiaom -c list_members                
Members of the "xiaom" domain:
xiaom(admin), xiaom1(edit), xiaom2(admin), xiaom3(view)
# rhc member list xiaom
Login  Role          Type
------ ------------- ----
xiaom  admin (owner) user
xiaom2 admin         user
xiaom1 edit          user
xiaom3 view          user

4. update member
# oo-admin-ctl-domain -l xiaom -n xiaom -c update_member -m xiaom1 -r view
# oo-admin-ctl-domain -l xiaom -n xiaom -c update_member -m xiaom2 -r edit
# oo-admin-ctl-domain -l xiaom -n xiaom -c update_member -m xiaom3 -r admin

5. list all members
# rhc member list xiaom
Login  Role          Type
------ ------------- ----
xiaom  admin (owner) user
xiaom3 admin         user
xiaom2 edit          user
xiaom1 view          user

6. remove the member
# oo-admin-ctl-domain -l xiaom -n xiaom -c remove_member -m xiaom1
# oo-admin-ctl-domain -l xiaom -n xiaom -c remove_member -m xiaom2

7. List the members
# rhc member list xiaom
Login  Role          Type
------ ------------- ----
xiaom  admin (owner) user
xiaom3 admin         user
# oo-admin-ctl-domain -l xiaom -n xiaom -c list_members                  
Members of the "xiaom" domain:
xiaom(admin), xiaom3(admin)
Comment 29 errata-xmlrpc 2015-07-21 19:11:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1463.html