Red Hat Bugzilla – Bug 1316460
Cluster admin should not return blank when get resource from non-existed project
Last modified: 2016-10-30 18:54:27 EDT
Description of problem:
Cluser-admin user only get black but not-cluster-admin user can get the info about project non-existed. at least Cluser-admin user should be same with a normal user (not cluser-admin user).
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Login to a cluster-admin user
2. Try to list resource from a non-existed project
`oc list dc -n nonexistedblabla`
3. Try to reproduce with a not cluster-admin user and this is not reproduced
Step2 - return blank
Should be same with a not cluster-admin user.
i.e. Error from server: User "xiaocwan1" cannot list deploymentconfigs in project "nonexistedblabla"
A cluster admin has permission to list items in any namespace, so the "permission denied" error will never be returned to them.
Yes, I don't think "permission denied" error should be returned either.
Seems it should return the correct info about the non-existed project no matter what role the user is. How do you think?
This is working as designed. No namespace existence check is done when getting or listing objects of a given type if the user has permission across all namespaces (like a cluster admin does).
A similar change was proposed upstream in https://github.com/kubernetes/kubernetes/pull/15543 and rejected.
Ok then, seems the case is too old, I'll update the case. Thanks