Bug 1313906 - oc create ignores policy name
oc create ignores policy name
Status: CLOSED NOTABUG
Product: OpenShift Container Platform
Classification: Red Hat
Component: Auth (Show other bugs)
3.1.0
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: David Eads
weiwei jiang
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-03-02 10:19 EST by Evgheni Dereveanchin
Modified: 2016-10-30 18:54 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-04 09:48:11 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Evgheni Dereveanchin 2016-03-02 10:19:14 EST
Description of problem:
When creating a policy using "oc create" the name is ignored and "default" policy is created

Version-Release number of selected component (if applicable):
# oc version
oc v3.1.1.6-16-g5327e56
kubernetes v1.1.0-origin-1107-g4c8e6f4
# rpm -q atomic-openshift-master
atomic-openshift-master-3.1.1.6-3.git.16.5327e56.el7aos.x86_64

How reproducible:
always

Steps to Reproduce:
1. create new project 
 oc new-project test
2. try to create test policy

oc create -f - <<EOF
apiVersion: v1
kind: Policy
metadata:
  name: test
roles:
- name: test
  role:
    metadata:
      name: test
      namespace: test
    rules:
    - apiGroups: null
      attributeRestrictions: null
      resources:
      - pods
      verbs:
      - get
      - create
EOF

Actual results:
policy "default" created


Expected results:
policy "test" created


Additional info:
this leads to issues when several policies need to exist: this will produce an error saying:
Error from server: error when creating "STDIN": policy "default" already exists


also, oc replace seems to parse this correctly:

oc replace -f - <<EOF
apiVersion: v1
kind: Policy
metadata:
  name: test
roles:
- name: test
  role:
    metadata:
      name: test
      namespace: test
    rules:
    - apiGroups: null
      attributeRestrictions: null
      resources:
      - pods
      verbs:
      - get
      - create
EOF

Error from server: error when replacing "STDIN": policy "test" not found

note that the policy name is "test" in the error message, not "default"
Comment 1 Evgheni Dereveanchin 2016-03-02 10:22:17 EST
also here are the resulting policies that are created

# oc get policy 
NAME      ROLES     LAST MODIFIED
default   test      0001-01-01 00:00:00 +0000 UTC

# oc get policy default -o yaml
apiVersion: v1
kind: Policy
lastModified: null
metadata:
  creationTimestamp: 2016-03-02T15:17:53Z
  name: default
  namespace: "test"
  resourceVersion: "3791510"
  selfLink: /oapi/v1/namespaces/test/policies/default
  uid: ef5e1fad-e089-11e5-b5e6-52540091350e
roles:
- name: test
  role:
    metadata:
      creationTimestamp: null
      name: test
      namespace: test
    rules:
    - apiGroups: null
      attributeRestrictions: null
      resources:
      - pods
      verbs:
      - create
      - get
Comment 2 Jordan Liggitt 2016-03-03 10:47:14 EST
correct, only a single policy per namespace is currently allowed.
Comment 3 David Eads 2016-03-03 10:55:52 EST
Roles are intended to be the primary mode of interacting with Policies.  The Policy object is an artifact of the storage mechanism.

Note You need to log in before you can comment on or make changes to this bug.