1313906 – oc create ignores policy name

Bug 1313906 - oc create ignores policy name

Summary: oc create ignores policy name

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	apiserver-auth
Sub Component:
Version:	3.1.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	David Eads
QA Contact:	weiwei jiang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-03-02 15:19 UTC by Evgheni Dereveanchin
Modified:	2019-10-10 11:24 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-03-04 14:48:11 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Evgheni Dereveanchin 2016-03-02 15:19:14 UTC

Description of problem:
When creating a policy using "oc create" the name is ignored and "default" policy is created

Version-Release number of selected component (if applicable):
# oc version
oc v3.1.1.6-16-g5327e56
kubernetes v1.1.0-origin-1107-g4c8e6f4
# rpm -q atomic-openshift-master
atomic-openshift-master-3.1.1.6-3.git.16.5327e56.el7aos.x86_64

How reproducible:
always

Steps to Reproduce:
1. create new project 
 oc new-project test
2. try to create test policy

oc create -f - <<EOF
apiVersion: v1
kind: Policy
metadata:
  name: test
roles:
- name: test
  role:
    metadata:
      name: test
      namespace: test
    rules:
    - apiGroups: null
      attributeRestrictions: null
      resources:
      - pods
      verbs:
      - get
      - create
EOF

Actual results:
policy "default" created


Expected results:
policy "test" created


Additional info:
this leads to issues when several policies need to exist: this will produce an error saying:
Error from server: error when creating "STDIN": policy "default" already exists


also, oc replace seems to parse this correctly:

oc replace -f - <<EOF
apiVersion: v1
kind: Policy
metadata:
  name: test
roles:
- name: test
  role:
    metadata:
      name: test
      namespace: test
    rules:
    - apiGroups: null
      attributeRestrictions: null
      resources:
      - pods
      verbs:
      - get
      - create
EOF

Error from server: error when replacing "STDIN": policy "test" not found

note that the policy name is "test" in the error message, not "default"

Comment 1 Evgheni Dereveanchin 2016-03-02 15:22:17 UTC

also here are the resulting policies that are created

# oc get policy 
NAME      ROLES     LAST MODIFIED
default   test      0001-01-01 00:00:00 +0000 UTC

# oc get policy default -o yaml
apiVersion: v1
kind: Policy
lastModified: null
metadata:
  creationTimestamp: 2016-03-02T15:17:53Z
  name: default
  namespace: "test"
  resourceVersion: "3791510"
  selfLink: /oapi/v1/namespaces/test/policies/default
  uid: ef5e1fad-e089-11e5-b5e6-52540091350e
roles:
- name: test
  role:
    metadata:
      creationTimestamp: null
      name: test
      namespace: test
    rules:
    - apiGroups: null
      attributeRestrictions: null
      resources:
      - pods
      verbs:
      - create
      - get

Comment 2 Jordan Liggitt 2016-03-03 15:47:14 UTC

correct, only a single policy per namespace is currently allowed.

Comment 3 David Eads 2016-03-03 15:55:52 UTC

Roles are intended to be the primary mode of interacting with Policies.  The Policy object is an artifact of the storage mechanism.

Note You need to log in before you can comment on or make changes to this bug.