Hide Forgot
Description of problem: To check who has the dedicated-cluster-admin role, # oc get rolebinding can work by admin users (operation team). However, there are no way to see it by Dedicated users. Version-Release number of selected component (if applicable): - OpenShift Dedicated (v3) How reproducible: Steps to Reproduce: 1. # oc get rolebinding by dedicated users. Actual results: - They can find who has the dedicated-cluster-admin Expected results: - They can find who has the dedicated-cluster-admin. (Or some other way to find who has the dedicated-cluster-admin role.) Additional info: - For workaround, create new project with another users and see if they can see the project with the user. It really bothers users.
What is the use case? Is a non admin user trying to find the dedicated cluster admin so they can contact them? Or are they trying to find out if they have the dedicated cluster admin role themselves?
> Or are they trying to find out if they have the dedicated cluster admin role themselves? The latter one. They are trying to find out if they have the dedicated cluster admin role themselves. When the users asked us to add dedicated-cluster-admin and operation team added it, they often asked "how to confirm it?". Also, sometimes they don't remember if an user have the admin role or not.
if the user tries to list rolebindings and is rejected, then they don't have the dedicated-cluster-admin role ops can already list rolebindings what level of user is wanting access to this information? a user who is an editor or viewer in a project?
> if the user tries to list rolebindings and is rejected, then they don't have the dedicated-cluster-admin role You mean "oc get rolebinding -n <USER's PROJECT>" or "oc get rolebinding -n default"? I think "oc get rolebinding -n <USER's PROJECT>" could work any users without cluster-admin role, so you meant -n default? > what level of user is wanting access to this information? a user who is an editor or viewer in a project? Both. I don't think there is any harm if any user could see who has the admin role.
> You mean "oc get rolebinding -n <USER's PROJECT>" or "oc get rolebinding -n default"? I think "oc get rolebinding -n <USER's PROJECT>" could work any users without cluster-admin role, so you meant -n default? I think we're talking past each other :) If a user has the admin or dedicated-cluster-admin role in a namespace, they can already view role assignments using `oc get rolebinding -n <project>` > I don't think there is any harm if any user could see who has the admin role. We don't expose role assignments to edit and view users by default.
> If a user has the admin or dedicated-cluster-admin role in a namespace, they can already view role assignments using `oc get rolebinding -n <project>` Oh.. When I asked operation team, they answered that the users have to check it with creating new project from other users and check bra bra bra... And they didn't say "oc get rolebinding" work with customers at all. Thank you. If the users can see it by themselvs via `oc get rolebinding -n <project>`, this RFE is not necessasry.