Description of problem: We are running openshift-scripts-dedicated service. The user accounts have names in them. This is the output of /etc ========================================================================== OPTIONS="\ --project-role-file=/etc/openshift-dedicated/project-admin-role.json \ --cluster-role-file=/etc/openshift-dedicated/cluster-admin-role.json \ --skip-projects=default,openshift-infra \ --users='FName LName','FName2 LName2' \ --recreate \ --groups= \ --verbose \ " ========================================================================== The usernames on the system are "FName LName" and "FName2 LNAME2". When we run the rols, this is wha the role binding looks like: ========================================================================== RoleBinding[dedicated-cluster-admin]: Role: dedicated-cluster-admin Users: FName, LName, FName2, LName2 Groups: <none> ServiceAccounts: <none> Subjects: <none> ========================================================================== Notice these are not correct. We would expect the usernames to get put in properly. Version-Release number of selected component (if applicable): openshift-scripts-dedicated-3.2.1.2-1.el7.x86_64 Additional info: This is affecting dedicated admin customers.
Fixed with --> https://github.com/openshift/online/pull/368
Checked with latest code, and found work well. # python apply-dedicated-roles.py -u "Isaac Newton" -p dedicated-project-admin.json -c dedicated-cluster-admin.json -v Arguments to program: ProjectRole = dedicated-project-admin ClusterRole = dedicated-cluster-admin Users = ["'Isaac Newton'"] Groups = [] SkipProjects = ['default', 'openshift-infra'] ReCreate = False Verbose = True Checking OpenShift CLI command ... OK Checking OpenShift admin CLI command ... OK Getting cluster role dedicated-cluster-admin if exists ... OK Adding cluster role dedicated-cluster-admin to users 'Isaac Newton' ... ...................... # oc get rolebindings NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS system:deployers /system:deployer deployer system:image-builders /system:image-builder builder system:image-pullers /system:image-puller system:serviceaccounts:wjinag admin /admin wjiang, Isaac Newton dedicated-project-admin /dedicated-project-admin Isaac Newton
This is intentional - the ability to grant dedicated admin role to individual users via the script has been removed. You can now only specify groups to grant access and users can be added to the groups as a means to grant dedicated admin access to groups.