Bug 1316460 - Cluster admin should not return blank when get resource from non-existed project
Cluster admin should not return blank when get resource from non-existed project
Product: OpenShift Origin
Classification: Red Hat
Component: Auth (Show other bugs)
Unspecified Unspecified
unspecified Severity low
: ---
: ---
Assigned To: Jordan Liggitt
weiwei jiang
Depends On:
  Show dependency treegraph
Reported: 2016-03-10 05:17 EST by XiaochuanWang
Modified: 2016-10-30 18:54 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-05-12 13:10:46 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description XiaochuanWang 2016-03-10 05:17:36 EST
Description of problem:
Cluser-admin user only get black but not-cluster-admin user can get the info about project non-existed. at least Cluser-admin user should be same with a normal user (not cluser-admin user).

Version-Release number of selected component (if applicable):
oc v1.1.3-553-g19dbf2a
kubernetes v1.2.0-alpha.7-703-gbc4550d

How reproducible:

Steps to Reproduce:
1. Login to a cluster-admin user
2. Try to list resource from a non-existed project
`oc list dc -n nonexistedblabla`
3. Try to reproduce with a not cluster-admin user and this is not reproduced

Actual results:
Step2 - return blank

Expected results:
Should be same with a not cluster-admin user.
i.e. Error from server: User "xiaocwan1" cannot list deploymentconfigs in project "nonexistedblabla"

Additional info:
Comment 1 Jordan Liggitt 2016-03-10 13:59:53 EST
A cluster admin has permission to list items in any namespace, so the "permission denied" error will never be returned to them.
Comment 2 XiaochuanWang 2016-03-11 00:15:27 EST
Yes, I don't think "permission denied" error should be returned either.
Seems it should return the correct info about the non-existed project no matter what role the user is. How do you think?
Comment 3 Jordan Liggitt 2016-03-11 00:31:09 EST
This is working as designed. No namespace existence check is done when getting or listing objects of a given type if the user has permission across all namespaces (like a cluster admin does).

A similar change was proposed upstream in https://github.com/kubernetes/kubernetes/pull/15543 and rejected.
Comment 4 XiaochuanWang 2016-03-11 02:04:49 EST
Ok then, seems the case is too old, I'll update the case. Thanks

Note You need to log in before you can comment on or make changes to this bug.