Description of problem: Project admin user can not list services|pods|... from the project since https://trello.com/c/lIazl3fA/314-3-propose-namespace-as-kind-upstream-deprecate-project-in-origin-manage-beta2 is merged, and the following resourcegroup should have already been out of date. # osc describe --namespace=master policy default Name: default Created: 2015-02-25 10:08:54 +0800 CST Labels: <none> Last Modified: 2015-02-25 10:08:54 +0800 CST admin Verbs Resources Extension [create delete get list update watch] [resourcegroup:exposedkube resourcegroup:exposedopenshift resourcegroup:granter] [get list watch] [resourcegroup:allkube resourcegroup:policy] basic-user Verbs Resources Extension [get] [users] [list] [projects] cluster-admin Verbs Resources Extension [*] [*] [*] [] cluster-status Verbs Resources Extension [get] [] edit Verbs Resources Extension [create delete get list update watch] [resourcegroup:exposedkube resourcegroup:exposedopenshift] [get list watch] [resourcegroup:allkube] system:component Verbs Resources Extension [*] [*] system:delete-tokens Verbs Resources Extension [delete] [oauthaccesstoken oauthauthorizetoken] system:deployer Verbs Resources Extension [*] [*] view Verbs Resources Extension [get list watch] [resourcegroup:allkube resourcegroup:exposedopenshift] Version-Release number of selected component (if applicable): openshift v0.3.2-39-g3b05d7d kubernetes v0.10.0-503-gc977a45 How reproducible: always Steps to Reproduce: 1. clear the insecurity roleBindings openshift ex policy remove-group --namespace=master cluster-admin system:authenticated system:unauthenticated 2. create a project with admin is "anypassword:admin" # openshift ex new-project project4 --admin=anypassword:admin 3. login with anypassword:admin openshift ex login -u admin -p redhat 4. try to get pods|services with the logined user for the project. Actual results: # osc get pods --namespace=project0 F0225 13:26:25.481135 16164 get.go:164] request [&{Method:GET URL:https://10.66.131.184:8443/api/v1beta1/pods?namespace=project0 Proto:HTTP/1.1 ProtoMajor:1 ProtoMinor:1 Header:map[] Body:<nil> ContentLength:0 TransferEncoding:[] Close:false Host:10.66.131.184:8443 Form:map[] PostForm:map[] MultipartForm:<nil> Trailer:map[] RemoteAddr: RequestURI: TLS:<nil>}] failed (403) 403 Forbidden: Forbidden: "/api/v1beta1/pods?namespace=project0" denied by default Expected results: should have no error message. Additional info: # osc describe --namespace=project0 policyBindings master Name: master Created: 2015-02-25 10:24:56 +0800 CST Labels: <none> Last Modified: 2015-02-25 10:24:56 +0800 CST Policy: master RoleBinding[admin]: Role: admin Users: [anypassword:admin] Groups: []
Confirmed bug. I'm holding the fix until I get an integration test in that makes sure this doesn't happen again.
Pull request https://github.com/openshift/origin/pull/1140, but at this point the integration test debt is bad enough to avoid committing until at least some of it has been addressed.
merged with integration tests.
Checked with # openshift version openshift v0.3.2-107-gc516f4c kubernetes v0.10.0-503-gc977a45 and this issue has been fixed.