Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1382393 - Individual OpenShift Project Not Listing Even Though It Exists
Individual OpenShift Project Not Listing Even Though It Exists
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Auth (Show other bugs)
3.2.0
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Jordan Liggitt
Chuan Yu
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-10-06 10:32 EDT by Steven Walter
Modified: 2017-03-08 13 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Project visibility calculation failed if it encountered a rolebinding that referenced a missing role. Consequence: Projects containing a rolebinding that referenced a missing role would not appear when listing projects via the API. Fix: Skip rolebindings with invalid role references when evaluating project visibility. Result: Projects with invalid rolebindings still appear in the projects list if another valid rolebinding exists that grants access.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-01-18 07:42:00 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0066 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.4 RPM Release Advisory 2017-01-18 12:23:26 EST

  None (edit)
Description Steven Walter 2016-10-06 10:32:21 EDT 
Description of problem:
We are unable to see one project in webconsole or via the cli. We have about 20 projects and all are visible.

Version-Release number of selected component (if applicable):
3.2.0

How reproducible:
Unverified


Actual results:
[root@example master]# oc whoami
system:admin

[root@example master]# oc get projects | grep guests

[root@example master]# oc project mc-guests-test
Now using project "mc-guests-test" on server "https://ose-test.example.com:8443".

    We can however see the project if we directly use the full url
    https://ose-test.example.com:8443/console/project/name_of_project/overview


Expected results:
Would be able to see the project when running "oc get projects" or in console

Additional info:

# oadm policy who-can view namespaces
Namespace: mc-guests-test
Verb:      view
Resource:  namespaces

Users:  osadmin

Groups: system:cluster-admins
        system:masters

# oadm policy who-can list namespaces

Namespace: mc-guests-test
Verb:      list
Resource:  namespaces

Users:  deploy
        guest
        osadmin
        system:serviceaccount:logging:aggregated-logging-fluentd
        system:serviceaccount:management-infra:management-admin
        system:serviceaccount:openshift-infra:heapster
        system:serviceaccount:openshift-infra:namespace-controller
        system:serviceaccount:ose-test:default

Groups: system:cluster-admins
        system:cluster-readers
        system:masters
        system:nodes
Comment 1 Steven Walter 2016-10-06 10:33:16 EDT 
Given that there's a discrepancy between namespaces and projects I will have them run tests using the opposite, but opening the bug as they should still be appearing in the web console
Comment 4 Derek Carr 2016-10-07 10:44:24 EDT 
This appears to be an issue with either of the following:

a) project cache
b) authz
Comment 5 Jordan Liggitt 2016-10-10 13:17:10 EDT 
What user are you logged into the web console as?

Also, the right verb is "get", not "view"

Can you capture the following from the CLI:

oadm policy who-can get namespaces
oc whoami
oc get projects -o yaml --loglevel=8
oc get project/mc-guests-test -o yaml --loglevel=8
Comment 13 Jordan Liggitt 2016-10-20 14:15:15 EDT 
caused by an invalid roleRef in a rolebinding in the project.

this short-circuited resourceaccessreview evaluation used to populate the project acl cache.

fixed in https://github.com/openshift/origin/pull/11425
Comment 14 Troy Dawson 2016-10-28 15:56:31 EDT 
This has been merged into ose and is in OSE v3.4.0.17 or newer.
Comment 16 Chuan Yu 2016-11-02 02:40:49 EDT 
Verified.
openshift v3.4.0.18+ada983f
kubernetes v1.4.0+776c994
etcd 3.1.0-rc.0


1.oc new-project foo
2.oc create -f binding.yaml
3.oc get projects

Actual results: the project containing the policybinding still exist.
Comment 18 errata-xmlrpc 2017-01-18 07:42:00 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0066
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.