Bug 1333049 - system:admin can't create projects with oc
Summary: system:admin can't create projects with oc
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: unspecified
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
: ---
Assignee: David Eads
QA Contact: weiwei jiang
URL:
Whiteboard:
Depends On:
Blocks: OSOPS_V3
TreeView+ depends on / blocked
 
Reported: 2016-05-04 14:57 UTC by Sten Turpin
Modified: 2019-03-29 15:49 UTC (History)
5 users (show)

Fixed In Version: atomic-openshift-3.2.0.45-1.git.0.a2ee9db.el7
Doc Type: Bug Fix
Doc Text:
For users with a "system:" prefix on an environment with the ProjectRequestLimit plug-in enabled, the `oc new-project <project_name>` command failed with an "Invalid value" error. This bug fix updates OpenShift Enterprise to allow project request limits on system users and service accounts, and as a result users with a "system:" prefix can now create new projects as expected.
Clone Of:
Environment:
Last Closed: 2016-06-09 21:10:51 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
output of oc-process of the project-request template in default project (5.53 KB, text/plain)
2016-05-04 14:57 UTC, Sten Turpin
no flags Details
expurgated (no cert data) admin.kubeconfig (934 bytes, text/plain)
2016-05-04 14:59 UTC, Sten Turpin
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:1221 0 normal SHIPPED_LIVE Red Hat OpenShift Enterprise 3.2 bug fix update 2016-06-10 01:10:20 UTC

Description Sten Turpin 2016-05-04 14:57:54 UTC
Created attachment 1153901 [details]
output of oc-process of the project-request template in default project

Description of problem: 
on a 3.2 cluster, system:admin can't create new projects


Version-Release number of selected component (if applicable):
3.2.0.40-1.git.0.d721e8f

How reproducible: 
always, on dev-preview-int cluster


Steps to Reproduce:
1. as system:admin, use "oc new-project" to create a new project
2.
3.

Actual results:
Error from server: metadata.name: Invalid value: "system:admin": may not contain ":"

Expected results:
Project created

Additional info:

Comment 1 Sten Turpin 2016-05-04 14:59:55 UTC
Created attachment 1153902 [details]
expurgated (no cert data) admin.kubeconfig

Comment 2 weiwei jiang 2016-05-05 05:12:49 UTC
This is only happen when you create a project via user with prefix "system:" with command `oc new-project <project name>` on a ProjectRequestLimit plugin enabled env.

And for system:admin user we'd better create project via `oadm new-project <project name>`.

Comment 3 David Eads 2016-05-05 17:04:58 UTC
> command `oc new-project <project name>` on a ProjectRequestLimit plugin enabled env.


Thanks for that.  I think I see it and I'll think about it.  Without an actual user or SA, perhaps we should simply allow it.

Comment 4 David Eads 2016-05-05 20:33:32 UTC
opened https://github.com/openshift/origin/pull/8766

Comment 6 weiwei jiang 2016-05-26 07:52:29 UTC
checked with devenv-rhel7_4273, and the issue has been fixed.
# oc whoami 
system:admin
# oc new-project project1
Now using project "project1" on server "https://172.18.130.27:8443".

You can add applications to this project with the 'new-app' command. For example, try:

    oc new-app centos/ruby-22-centos7~https://github.com/openshift/ruby-ex.git

to build a new example application in Ruby.

#oc new-project project2 #(with maxProjectsForSystemUsers: 1)
Error from server: projectrequests "project2" is forbidden: user system:admin cannot create more than 1 project(s).

And same result on puddle atomic-openshift-3.2.0.45-1.git.0.a2ee9db.el7.x86_64

Since serviceaccount can not send projectrequest api, so no need check with serviceaccounts.

Comment 7 weiwei jiang 2016-05-26 07:53:14 UTC
And same result on puddle atomic-openshift-3.2.0.45-1.git.0.a2ee9db.el7.x86_64.

So the issue has been fixed.

Comment 9 errata-xmlrpc 2016-06-09 21:10:51 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1221


Note You need to log in before you can comment on or make changes to this bug.