Bug 1365276 - openshift-scripts-dedicated does not support usernames with spaces in them.
Summary: openshift-scripts-dedicated does not support usernames with spaces in them.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Online
Classification: Red Hat
Component: oc
Version: 3.x
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Abhishek Gupta
QA Contact: weiwei jiang
URL:
Whiteboard:
Depends On:
Blocks: OSOPS_V3
TreeView+ depends on / blocked
 
Reported: 2016-08-08 19:16 UTC by Matt Woodson
Modified: 2017-01-04 06:18 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-10-04 13:08:22 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Matt Woodson 2016-08-08 19:16:16 UTC
Description of problem:

We are running openshift-scripts-dedicated service.  The user accounts have names in them.  This is the output of /etc

==========================================================================
OPTIONS="\
--project-role-file=/etc/openshift-dedicated/project-admin-role.json \
--cluster-role-file=/etc/openshift-dedicated/cluster-admin-role.json \
--skip-projects=default,openshift-infra \
--users='FName LName','FName2 LName2' \
--recreate \
--groups= \
--verbose \
"
==========================================================================

The usernames on the system are "FName LName" and "FName2 LNAME2".

When we run the rols, this is wha the role binding looks like:

==========================================================================
RoleBinding[dedicated-cluster-admin]:                    
                                                        Role:                   dedicated-cluster-admin
                                                        Users:                  FName, LName, FName2, LName2
                                                        Groups:                 <none>
                                                        ServiceAccounts:        <none>
                                                        Subjects:               <none>
==========================================================================


Notice these are not correct.   We would expect the usernames to get put in properly.


Version-Release number of selected component (if applicable):

openshift-scripts-dedicated-3.2.1.2-1.el7.x86_64




Additional info:

This is affecting dedicated admin customers.

Comment 1 Abhishek Gupta 2016-08-08 19:34:19 UTC
Fixed with --> https://github.com/openshift/online/pull/368

Comment 2 weiwei jiang 2016-08-09 09:09:45 UTC
Checked with latest code, and found work well.

# python apply-dedicated-roles.py -u "Isaac Newton" -p dedicated-project-admin.json -c dedicated-cluster-admin.json -v
Arguments to program:
	ProjectRole = dedicated-project-admin
	ClusterRole = dedicated-cluster-admin
	Users = ["'Isaac Newton'"]
	Groups = []
	SkipProjects = ['default', 'openshift-infra']
	ReCreate = False
	Verbose = True

Checking OpenShift CLI command ... 
OK
Checking OpenShift admin CLI command ... 
OK
Getting cluster role dedicated-cluster-admin if exists ... 
OK
Adding cluster role dedicated-cluster-admin to users 'Isaac Newton' ... 
......................


# oc get rolebindings
NAME                      ROLE                       USERS                  GROUPS                          SERVICE ACCOUNTS   SUBJECTS
system:deployers          /system:deployer                                                                  deployer           
system:image-builders     /system:image-builder                                                             builder            
system:image-pullers      /system:image-puller                              system:serviceaccounts:wjinag                      
admin                     /admin                     wjiang, Isaac Newton                                                      
dedicated-project-admin   /dedicated-project-admin   Isaac Newton

Comment 4 Abhishek Gupta 2017-01-04 06:18:05 UTC
This is intentional - the ability to grant dedicated admin role to individual users via the script has been removed. You can now only specify groups to grant access and users can be added to the groups as a means to grant dedicated admin access to groups.


Note You need to log in before you can comment on or make changes to this bug.