Bug 1382393 - Individual OpenShift Project Not Listing Even Though It Exists
Summary: Individual OpenShift Project Not Listing Even Though It Exists
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 3.2.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Jordan Liggitt
QA Contact: Chuan Yu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-10-06 14:32 UTC by Steven Walter
Modified: 2019-12-16 07:01 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Project visibility calculation failed if it encountered a rolebinding that referenced a missing role. Consequence: Projects containing a rolebinding that referenced a missing role would not appear when listing projects via the API. Fix: Skip rolebindings with invalid role references when evaluating project visibility. Result: Projects with invalid rolebindings still appear in the projects list if another valid rolebinding exists that grants access.
Clone Of:
Environment:
Last Closed: 2017-01-18 12:42:00 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0066 0 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.4 RPM Release Advisory 2017-01-18 17:23:26 UTC

Description Steven Walter 2016-10-06 14:32:21 UTC 
Description of problem:
We are unable to see one project in webconsole or via the cli. We have about 20 projects and all are visible.

Version-Release number of selected component (if applicable):
3.2.0

How reproducible:
Unverified


Actual results:
[root@example master]# oc whoami
system:admin

[root@example master]# oc get projects | grep guests

[root@example master]# oc project mc-guests-test
Now using project "mc-guests-test" on server "https://ose-test.example.com:8443".

    We can however see the project if we directly use the full url
    https://ose-test.example.com:8443/console/project/name_of_project/overview


Expected results:
Would be able to see the project when running "oc get projects" or in console

Additional info:

# oadm policy who-can view namespaces
Namespace: mc-guests-test
Verb:      view
Resource:  namespaces

Users:  osadmin

Groups: system:cluster-admins
        system:masters

# oadm policy who-can list namespaces

Namespace: mc-guests-test
Verb:      list
Resource:  namespaces

Users:  deploy
        guest
        osadmin
        system:serviceaccount:logging:aggregated-logging-fluentd
        system:serviceaccount:management-infra:management-admin
        system:serviceaccount:openshift-infra:heapster
        system:serviceaccount:openshift-infra:namespace-controller
        system:serviceaccount:ose-test:default

Groups: system:cluster-admins
        system:cluster-readers
        system:masters
        system:nodes
Comment 1 Steven Walter 2016-10-06 14:33:16 UTC 
Given that there's a discrepancy between namespaces and projects I will have them run tests using the opposite, but opening the bug as they should still be appearing in the web console
Comment 4 Derek Carr 2016-10-07 14:44:24 UTC 
This appears to be an issue with either of the following:

a) project cache
b) authz
Comment 5 Jordan Liggitt 2016-10-10 17:17:10 UTC 
What user are you logged into the web console as?

Also, the right verb is "get", not "view"

Can you capture the following from the CLI:

oadm policy who-can get namespaces
oc whoami
oc get projects -o yaml --loglevel=8
oc get project/mc-guests-test -o yaml --loglevel=8
Comment 13 Jordan Liggitt 2016-10-20 18:15:15 UTC 
caused by an invalid roleRef in a rolebinding in the project.

this short-circuited resourceaccessreview evaluation used to populate the project acl cache.

fixed in https://github.com/openshift/origin/pull/11425
Comment 14 Troy Dawson 2016-10-28 19:56:31 UTC 
This has been merged into ose and is in OSE v3.4.0.17 or newer.
Comment 16 Chuan Yu 2016-11-02 06:40:49 UTC 
Verified.
openshift v3.4.0.18+ada983f
kubernetes v1.4.0+776c994
etcd 3.1.0-rc.0


1.oc new-project foo
2.oc create -f binding.yaml
3.oc get projects

Actual results: the project containing the policybinding still exist.
Comment 18 errata-xmlrpc 2017-01-18 12:42:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0066
Note You need to log in before you can comment on or make changes to this bug.