Bug 1278353 - Could not remove the service account if using -z/--serviceaccount as argument to add role
Could not remove the service account if using -z/--serviceaccount as argumen...
Status: CLOSED CURRENTRELEASE
Product: OpenShift Origin
Classification: Red Hat
Component: Command Line Interface (Show other bugs)
3.x
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: David Eads
Wei Sun
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-05 05:26 EST by Wei Sun
Modified: 2016-05-12 13:15 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-12 13:15:54 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Wei Sun 2015-11-05 05:26:57 EST
Description of problem:
Add a role to the service accounts using -z/--serviceaccount as argument,and then remove them using -z/--serviceaccount as argument,or remove them using "oc policy remove-role-from-user admin system:serviceaccount:wsuntest:default",the service account could not be removed.



Version-Release number of selected component (if applicable):
# oc version 
oc v1.0.7-287-g60781e3
kubernetes v1.2.0-alpha.1-1107-g4c8e6f4
devnenv_rhel7-2638

How reproducible:
Always

Steps to Reproduce:
1.Check who is admin 
# oc get rolebinding/admins -n wsuntest
2.Add the serviceaccounts to the role
# oc policy add-role-to-user admin -z=defalut --serviceaccount=three -n wsuntest
3.Check if the service accounts are added to admin role
# oc get rolebinding/admins -n wsuntest
4.Remove the serviceaccounts from the role with -z/--serviceaccount
# oc policy remove-role-from-user admin -z=default --serviceaccount=three -n wsuntest
5.Check if the service accounts are removed from admin role
# oc get rolebinding/admins -n wsuntest
6.Remove the serviceaccounts from the role whithout -z/--serviceaccount
oc policy remove-role-from-user admin system:serviceaccount:wsuntest:default -n wsuntest
7.Check if the service accounts are removed from admin role
#  oc get rolebinding/admins -n wsuntest
8.Add the serviceaccounts to the role,but don't use -z
# oc policy add-role-to-user admin system:serviceaccount:wsuntest:one -n wsuntest
9.Check if the service accounts are removed from admin role
#  oc get rolebinding/admins -n wsuntest
10.Remove the serviceaccounts from the role
# oc policy remove-role-from-user admin system:serviceaccount:wsuntest:one -n wsuntest
11.Check if the service accounts are removed from admin role

Actual results:
1.# oc get rolebinding/admins -n wsuntest
NAME      ROLE      USERS          GROUPS    SERVICE ACCOUNTS   SUBJECTS
admins    /admin    system:admin   

3.# oc get rolebinding/admins -n wsuntest
NAME      ROLE      USERS          GROUPS    SERVICE ACCOUNTS   SUBJECTS
admins    /admin    system:admin             defalut, three     

5# oc get rolebinding/admins -n wsuntest
NAME      ROLE      USERS          GROUPS    SERVICE ACCOUNTS   SUBJECTS
admins    /admin    system:admin             defalut, three 

7.#  oc get rolebinding/admins -n wsuntest
NAME      ROLE      USERS          GROUPS    SERVICE ACCOUNTS   SUBJECTS
admins    /admin    system:admin             defalut, three     

9.#  oc get rolebinding/admins -n wsuntest
NAME      ROLE      USERS          GROUPS    SERVICE ACCOUNTS      SUBJECTS
admins    /admin    system:admin             defalut, three, one  

11.The service account "one" is removed
#  oc get rolebinding/admins -n wsuntest
NAME      ROLE      USERS          GROUPS    SERVICE ACCOUNTS   SUBJECTS
admins    /admin    system:admin             defalut, three

Expected results:
5.7 Could remove "default" and "three" service accounts

Additional info:
Comment 1 David Eads 2015-11-05 10:50:43 EST
Also fixed by https://github.com/openshift/origin/pull/5730 .  Be sure to fix the `defalut` typo.
Comment 2 Paul Weil 2015-11-09 09:40:02 EST
Marking as upcoming release since this is slated for the 1.1.1 milestone
Comment 3 Wei Sun 2015-11-16 20:49:08 EST
Tested this bug against the devenv-rhel7_2717,now could  remove the service account if using -z/--serviceaccount as argument to add role.After the bug is moved to ON_QA,I'll verify it.
Comment 4 Wei Sun 2015-11-17 21:42:26 EST
According to #Comment 3 ,verified this bug.

Note You need to log in before you can comment on or make changes to this bug.