Description of problem: After remove the role, the rolebindings are still there. And this should be inappropriate. And I think we can do one of the following considerations: 1. Try to delete the role when have roleBindings based on it, got message like "please remove the rolebindings based on the role firstly". 2. Try to delete the role when have roleBindinds based on it, origin will delete not only the role but also the rolebindings based on it. Version-Release number of selected component (if applicable): # openshift version openshift v0.3-95-g753c84d-dirty kubernetes v0.10.0-46-g72ad4f1 How reproducible: always Steps to Reproduce: 1. create a role via cluster-admin 2. bind a user as the role via cluster-admin 3. delete the role via cluster-admin 4. check the rolebindings via cluster-admin Actual results: 1. # cat role.json # osc create -f role.json --namespace=master # osc describe --namespace=master policy default Name: default Annotations: <none> Created: 2015-02-13 10:06:48 +0800 CST Last Modified: 2015-02-13 10:10:31 +0800 CST admin Verbs Resources Extension [get list watch create update delete] [resourcegroup:exposedopenshift resourcegroup:granter resourcegroup:exposedkube] [get list watch] [resourcegroup:policy resourcegroup:allkube] basic-user Verbs Resources Extension [get] [users] [list] [projects] cluster-admin Verbs Resources Extension [*] [*] deploy Verbs Resources Extension [watch list get] [resourcegroup:deployments resourcegroup:users] edit Verbs Resources Extension [get list watch create update delete] [resourcegroup:exposedopenshift resourcegroup:exposedkube] [get list watch] [resourcegroup:allkube] system:component Verbs Resources Extension [*] [*] system:delete-tokens Verbs Resources Extension [delete] [oauthaccesstoken oauthauthorizetoken] system:deployer Verbs Resources Extension [*] [*] view Verbs Resources Extension [get list watch] [resourcegroup:exposedopenshift resourcegroup:allkube] 2. # openshift ex policy add-user --namespace=master deploy anypassword:deploy # osc describe --namespace=master policyBindings master Name: master Annotations: <none> Created: 2015-02-13 10:06:48 +0800 CST Last Modified: 2015-02-13 10:10:50 +0800 CST Policy: master RoleBinding[basic-user-binding]: Role: basic-user Users: [] Groups: [system:authenticated] RoleBinding[cluster-admin-binding]: Role: cluster-admin Users: [system:admin] Groups: [] RoleBinding[deploy]: Role: deploy Users: [anypassword:deploy] Groups: [] RoleBinding[insecure-cluster-admin-binding]: Role: cluster-admin Users: [] Groups: [system:authenticated system:unauthenticated] RoleBinding[system:component-binding]: Role: system:component Users: [system:openshift-client system:kube-client] Groups: [] RoleBinding[system:delete-tokens-binding]: Role: system:delete-tokens Users: [] Groups: [system:authenticated system:unauthenticated] RoleBinding[system:deployer-binding]: Role: system:deployer Users: [system:openshift-deployer] Groups: [] 3. # osc delete -f role.json deploy 4. # osc describe --namespace=master policyBindings master Name: master Annotations: <none> Created: 2015-02-13 10:06:48 +0800 CST Last Modified: 2015-02-13 10:10:50 +0800 CST Policy: master RoleBinding[basic-user-binding]: Role: basic-user Users: [] Groups: [system:authenticated] RoleBinding[cluster-admin-binding]: Role: cluster-admin Users: [system:admin] Groups: [] RoleBinding[deploy]: Role: deploy Users: [anypassword:deploy] Groups: [] RoleBinding[insecure-cluster-admin-binding]: Role: cluster-admin Users: [] Groups: [system:authenticated system:unauthenticated] RoleBinding[system:component-binding]: Role: system:component Users: [system:openshift-client system:kube-client] Groups: [] RoleBinding[system:delete-tokens-binding]: Role: system:delete-tokens Users: [] Groups: [system:authenticated system:unauthenticated] RoleBinding[system:deployer-binding]: Role: system:deployer Users: [system:openshift-deployer] Groups: [] Expected results: should be one of the following considerations: 1. Try to delete the role when have roleBindings based on it, got message like "please remove the rolebindings based on the role firstly". 2. Try to delete the role when have roleBindinds based on it, origin will delete not only the role but also the rolebindings based on it. Additional info:
checked with # openshift version openshift v0.4-42-g4cd4fab kubernetes v0.11.0-330-g6241a21 and found cluster-admin can not add-user to the new created project any more. 1. #openshift ex new-project wjiang --admin="htpasswd:wjiang" 2. #cat role.json { "kind": "Role", "apiVersion": "v1beta1", "metadata": { "name": "deploy", "namespace": "master", }, "rules":[ { "verbs": ["watch", "list", "get"], "resources": ["resourcegroup:deployments"] }] } 3. #osc create -f role.json 4. # osc describe policy default --namespace=master Name: default Created: 2015-03-04 10:15:38 +0800 CST Labels: <none> Last Modified: 2015-03-05 16:29:10 +0800 CST admin Verbs Resources Extension [create delete get list update watch] [resourcegroup:exposedkube resourcegroup:exposedopenshift resourcegroup:granter] [get list watch] [resourcegroup:allkube resourcegroup:policy] basic-user Verbs Resources Extension [get] [users] [list] [projects] cluster-admin Verbs Resources Extension [*] [*] [*] [] cluster-status Verbs Resources Extension [get] [] edit Verbs Resources Extension [create delete get list update watch] [resourcegroup:exposedkube resourcegroup:exposedopenshift] [get list watch] [resourcegroup:allkube] system:component Verbs Resources Extension [*] [*] system:delete-tokens Verbs Resources Extension [delete] [oauthaccesstoken oauthauthorizetoken] system:deployer Verbs Resources Extension [*] [*] view Verbs Resources Extension [get list watch] [resourcegroup:allkube resourcegroup:exposedopenshift] 5. # openshift ex policy add-user deploy htpasswd:view --namespace=wjiang 6. # osc describe policyBinding master --namespace=wjiang Name: master Created: 2015-03-05 17:34:01 +0800 CST Labels: <none> Last Modified: 2015-03-05 17:35:55 +0800 CST Policy: master RoleBinding[admin]: Role: admin Users: [htpasswd:wjiang] Groups: [] RoleBinding[deploy]: Role: deploy Users: [htpasswd:view] Groups: [] 7. # osc delete -f role.json deploy 8. # openshift ex policy add-user admin anypassword:view --namespace=wjiang F0305 17:36:15.570144 24072 add_user.go:43] role api.ObjectReference{Kind:"", Namespace:"master", Name:"deploy", UID:"", APIVersion:"", ResourceVersion:"", FieldPath:""} not found
I've opened https://github.com/openshift/origin/pull/1231 to address your last comment. I don't want that pull to accidentally close this defect, since it does not fix referential integrity. The changes only keep referential integrity problems in one rolebinding from affecting changes to a different role binding.
Checked with # openshift version openshift v0.4-63-g0298616 kubernetes v0.11.0-330-g6241a21 and the issue mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1192310#c1 has been fixed.
The orphan rolebinding will still affect the function in the latest OSE build. 1. Add policybinding via cluster admin to my project # echo '{ "kind": "PolicyBinding", "apiVersion": "v1", "metadata": { "name": "bmengp1", "namespace": "bmengp1" }, "policyRef": { "namespace": "bmengp1" } }' | oc create -f - 2. Create role in my own project $ echo '{ "kind": "Role", "apiVersion": "v1beta3", "metadata": { "name": "viewservices", "namespace": "bmengp1" }, "rules": [ { "verbs": [ "get", "list", "watch" ], "resources": [ "services" ] } ] }' | oc create -f - 3. Add the role to any user $ oc policy add-role-to-user viewservices bmenguser1 --role-namespace=bmengp1 4. Delete the role which has already had binding $ oc delete role viewservices -n bmengp1 5. Try to get project with my user will get nothing $ oc get project --loglevel=4 NAME DISPLAY NAME STATUS 6. Delete the orphan rolebinding from my project $ oc delete rolebinding viewservices 7. repeat step 5 # oc get project --loglevel=4 NAME DISPLAY NAME STATUS bmengp1 Active
Opened pull to allow missing role resolution. `oc get project` was vulnerable because it relied on an RAR, other actions were not, because the authorizer already allows some resolutions to fail. See https://github.com/openshift/origin/pull/4809
Checked with devenv-fedora_2444, and issue in https://bugzilla.redhat.com/show_bug.cgi?id=1192310#c4 has been fixed, so verify this.