Bug 1316460 - Cluster admin should not return blank when get resource from non-existed project
Summary: Cluster admin should not return blank when get resource from non-existed project
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ---
: ---
Assignee: Jordan Liggitt
QA Contact: weiwei jiang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-10 10:17 UTC by XiaochuanWang
Modified: 2019-03-29 15:49 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-12 17:10:46 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description XiaochuanWang 2016-03-10 10:17:36 UTC
Description of problem:
Cluser-admin user only get black but not-cluster-admin user can get the info about project non-existed. at least Cluser-admin user should be same with a normal user (not cluser-admin user).

Version-Release number of selected component (if applicable):
oc v1.1.3-553-g19dbf2a
kubernetes v1.2.0-alpha.7-703-gbc4550d

How reproducible:
Always

Steps to Reproduce:
1. Login to a cluster-admin user
2. Try to list resource from a non-existed project
`oc list dc -n nonexistedblabla`
3. Try to reproduce with a not cluster-admin user and this is not reproduced

Actual results:
Step2 - return blank

Expected results:
Should be same with a not cluster-admin user.
i.e. Error from server: User "xiaocwan1" cannot list deploymentconfigs in project "nonexistedblabla"

Additional info:

Comment 1 Jordan Liggitt 2016-03-10 18:59:53 UTC
A cluster admin has permission to list items in any namespace, so the "permission denied" error will never be returned to them.

Comment 2 XiaochuanWang 2016-03-11 05:15:27 UTC
Yes, I don't think "permission denied" error should be returned either.
Seems it should return the correct info about the non-existed project no matter what role the user is. How do you think?

Comment 3 Jordan Liggitt 2016-03-11 05:31:09 UTC
This is working as designed. No namespace existence check is done when getting or listing objects of a given type if the user has permission across all namespaces (like a cluster admin does).

A similar change was proposed upstream in https://github.com/kubernetes/kubernetes/pull/15543 and rejected.

Comment 4 XiaochuanWang 2016-03-11 07:04:49 UTC
Ok then, seems the case is too old, I'll update the case. Thanks


Note You need to log in before you can comment on or make changes to this bug.