Bug 1278354 - Could not remove the service account using -z/--serviceaccount as argument
Could not remove the service account using -z/--serviceaccount as argument
Status: CLOSED CURRENTRELEASE
Product: OpenShift Origin
Classification: Red Hat
Component: Command Line Interface (Show other bugs)
3.x
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: David Eads
Wei Sun
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-05 05:27 EST by Wei Sun
Modified: 2016-05-12 13:13 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-12 13:13:56 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Wei Sun 2015-11-05 05:27:17 EST
Description of problem:
Add a role to the service account using -z/--serviceaccount as argument or add it using " oc policy add-role-to-user admin system:serviceaccount:wsuntest:two -n wsuntest",and then remove the service account with -z as argument ,but could not remove it successfully 

Version-Release number of selected component (if applicable):
# oc version 
oc v1.0.7-287-g60781e3
kubernetes v1.2.0-alpha.1-1107-g4c8e6f4
devnenv_rhel7-2638

How reproducible:
Always

Steps to Reproduce:
1.Check who is admin 
# oc get rolebinding/admins -n wsuntest
2.Add the serviceaccounts to the role with -z 
# oc policy add-role-to-user admin -z=defalut --serviceaccount=three -n wsuntest
3.Check if the service accounts are added to admin role
# oc get rolebinding/admins -n wsuntest
4.Remove the serviceaccounts from the role with -z
# oc policy remove-role-from-user admin -z=default --serviceaccount=three -n wsuntest
5.Check if the service accounts are removed from admin role
6.Add the service account to the role without -z
# oc policy add-role-to-user admin system:serviceaccount:wsuntest:two -n wsuntest
7.Check if the service accounts are added to admin role
# oc get rolebinding/admins -n wsuntest
8.Remove the serice account with -z
# oc policy remove-role-from-user admin -z=two -n wsuntest
9.Check if the service accounts are removed from admin role
#  oc get rolebinding/admins -n wsuntest

Actual results:
1.# oc get rolebinding/admins -n wsuntest
NAME      ROLE      USERS          GROUPS    SERVICE ACCOUNTS   SUBJECTS
admins    /admin    system:admin   

3.# oc get rolebinding/admins -n wsuntest
NAME      ROLE      USERS          GROUPS    SERVICE ACCOUNTS   SUBJECTS
admins    /admin    system:admin             defalut, three     

5.The service account "default" and "three" are not removed
# oc get rolebinding/admins -n wsuntest
NAME      ROLE      USERS          GROUPS    SERVICE ACCOUNTS   SUBJECTS
admins    /admin    system:admin             defalut, three 

7.#  oc get rolebinding/admins -n wsuntest
NAME      ROLE      USERS          GROUPS    SERVICE ACCOUNTS      SUBJECTS
admins    /admin    system:admin             defalut, three, two   

9.#  oc get rolebinding/admins -n wsuntest
NAME      ROLE      USERS          GROUPS    SERVICE ACCOUNTS      SUBJECTS
admins    /admin    system:admin             defalut, three, two

Expected results:
Could remove the service account using -z 

Additional info:
Comment 1 David Eads 2015-11-05 08:26:06 EST
See https://github.com/openshift/origin/pull/5730
Comment 2 Jordan Liggitt 2015-11-05 13:07:06 EST
Leaving ON_DEV until PR is in merge queue
Comment 3 Paul Weil 2015-11-09 09:39:54 EST
Marking as upcoming release since this is slated for the 1.1.1 milestone
Comment 4 Wei Sun 2015-11-16 05:28:06 EST
Tested this bug in devenv-rhel7_2712,now could remove the other service account using using -z/--serviceaccount as argument,but still could not remove the default service account .

[root@ip-172-18-15-26 /]# oc policy add-role-to-user admin -z=defalut --serviceaccount=three -n wsuntest
[root@ip-172-18-15-26 /]# oc get rolebinding/admins -n wsuntest
NAME      ROLE      USERS          GROUPS    SERVICE ACCOUNTS   SUBJECTS
admins    /admin    system:admin             defalut, three     
[root@ip-172-18-15-26 /]# oc policy remove-role-from-user admin -z=default --serviceaccount=three -n wsuntest
[root@ip-172-18-15-26 /]# oc get rolebinding/admins -n wsuntest
NAME      ROLE      USERS          GROUPS    SERVICE ACCOUNTS   SUBJECTS
admins    /admin    system:admin             defalut
Comment 5 David Eads 2015-11-16 07:56:46 EST
I think you have a typo in your test.  Note `defalut` in the add step, but `default` in the remove step.
Comment 6 Wei Sun 2015-11-16 20:45:04 EST
Verified on devenv-rhel7_2717.Now  Could  remove the service account using -z/--serviceaccount as argument

Note You need to log in before you can comment on or make changes to this bug.