Bug 1262696 - oc login should not give misleading message "oc new-project <projectname>" to authenticated user after it logins when access to request project disabled
oc login should not give misleading message "oc new-project <projectname>" to...
Status: CLOSED CURRENTRELEASE
Product: OpenShift Origin
Classification: Red Hat
Component: Command Line Interface (Show other bugs)
3.x
Unspecified Unspecified
medium Severity low
: ---
: ---
Assigned To: Juan Vallejo
Wei Sun
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-14 03:00 EDT by Xingxing Xia
Modified: 2017-05-30 08:50 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: `oc login` suggested the use of `oc new-project` to users after authentication, even if the user had no access to request new projects. Consequence: This message was misleading, as it would guide users without projectrequest rights to perform a request they were unauthorized to perform. Fix: The message was modified for users without access to request new projects. Result: For users without access to request new projects, the message after authentication with `oc login` is now "You do not have access to create new projects, contact your system administrator to request a project."
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-05-30 08:50:43 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Xingxing Xia 2015-09-14 03:00:34 EDT
Description of problem:
oc login should not give misleading message "oc new-project <projectname>" to authenticated user after it logins when access to request project disabled

Version-Release number of selected component (if applicable):
openshift v1.0.5-344-gd9fb965
oc v1.0.5-344-gd9fb965
kubernetes v1.1.0-alpha.0-1605-g44c91b1

How reproducible:
Always

Steps to Reproduce:
1. Disable access to request project with cluster-admin
# oadm policy remove-cluster-role-from-group self-provisioner system:authenticated --config=openshift.local.config/master/admin.kubeconfig

2. Log in terminal with a normal user

Actual results:
2. After login ok, the following message show up:
You don't have any projects. You can try to create a new project, by running

    $ oc new-project <projectname>

Expected results:
2. Now that authenticated users' access to request project is totally disabled, oc login should not give misleading message "oc new-project <projectname>". Instead, CLI should prompt sth like: 
     Contact your system administrator to request a project.
Comment 1 Juan Vallejo 2016-11-14 11:23:56 EST
Related PR: https://github.com/openshift/origin/pull/11904
Comment 2 Xingxing Xia 2016-11-16 03:02:56 EST
Verified on devenv-fedora_5365, openshift v1.4.0-alpha.1+7412a0e-193
Now it prompts "not have access to create new projects ..." to user.

$ oadm policy remove-cluster-role-from-group self-provisioner system:authenticated --config=openshift.local.config/master/admin.kubeconfig

$ oadm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth --config=openshift.local.config/master/admin.kubeconfig # Now requires this step

$ oc login
Authentication required for https://localhost:8443 (openshift)
Username: star
Password: 
Login successful.

You do not have access to create new projects, contact your system administrator to request a project.
Comment 3 Juan Vallejo 2016-11-30 13:02:00 EST
Updated PR: https://github.com/openshift/origin/pull/12008
Comment 4 XiaochuanWang 2016-12-13 00:56:18 EST
When origin and OCP 3.4 merge the fix. Will it back port to OCP 3.3?
Comment 5 Fabiano Franz 2016-12-13 12:58:10 EST
No backport to OCP 3.3 planned.
Comment 6 XiaochuanWang 2016-12-14 21:56:17 EST
Issue in comment2 does not reproduced on OCP v3.4.0.37
But it seems this fix https://github.com/openshift/origin/pull/12008 is still not merged in OCP v3.4.0.37
Is there any plan to merge the fix into OCP?
Comment 7 Juan Vallejo 2016-12-15 09:52:41 EST
I am not sure if there are plans to backport this fix.
Comment 8 Fabiano Franz 2016-12-15 15:07:14 EST
Most likely the commit will only be in v3.5 along with everything else. This is not severe enough to justify a backport.
Comment 9 Xingxing Xia 2016-12-15 23:21:56 EST
Considering Origin PR 12008 is merged in origin repo and works well in Origin env, could you please move bug to ON_QA so it will be moved to VERIFIED?

Verification steps in Origin env:

$ oc version
oc v1.5.0-alpha.0+6b08947-378
...

Make sure auth users can create projectrequests. This is default if remove-cluster-role-from-group is not done for below cluster role and group. If done, revert by:
$ oadm policy add-cluster-role-to-group self-provisioner system:authenticated:oauth

1st, remove the verb 'list' from 'projectrequests'
$ oc edit clusterrole basic-user --config /openshift.local.config/master/admin.kubeconfig
clusterrole "basic-user" edited

2nd, oc login
$ oc login https://master:8443
Authentication required for https://master:8443 (openshift)
Username: xxia
Password:
Login successful.

You do not have access to create new projects, contact your system administrator to request a project.

3rd, try new-project
$ oc new-project xxia-proj
Error from server: User "xxia" cannot list all projectrequests in the cluster
Comment 10 XiaochuanWang 2016-12-18 20:12:13 EST
Verified on oc/openshift v1.5.0-alpha.0+48b0a74-434

1) By edit role:
# oc edit clusterrole basic-user --config /openshift.local.config/master/admin.kubeconfig
clusterrole "basic-user" edited
# oc login
Login successful.

You do not have access to create new projects, contact your system administrator to request a project.

2) By remove groups
# oadm policy remove-cluster-role-from-group self-provisioner system:authenticated 
# oadm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth
# oc login
Login successful.

You do not have access to create new projects, contact your system administrator to request a project.

Note You need to log in before you can comment on or make changes to this bug.