Hide Forgot
Description of problem: Trying to add a clusterrole to user causes 401 unauthorized error; however using the same user to add a different clusterrole with identical yaml works fine. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: $ oc policy add-role-to-user acc_edit myuser $ oc policy add-role-to-user sdaas_edit myuser Actual results: $ oc policy add-role-to-user acc_edit myuser $ oc policy add-role-to-user sdaas_edit myuser error: You must be logged in to the server (attempt to grant extra privileges: [PolicyRule{Verbs:[get], APIGroups:[], Resources:[limitranges], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[limitranges], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[limitranges], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[namespaces], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[namespaces], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[namespaces], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[namespaces/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[namespaces/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[namespaces/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[persistentvolumes], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[persistentvolumes], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[persistentvolumes], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[bindings], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[bindings], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[bindings], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[routes/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[routes/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[routes/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[securitycontextconstraints], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[securitycontextconstraints], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[securitycontextconstraints], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[imagestreams/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[imagestreams/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[imagestreams/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[nodes], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[nodes], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[nodes], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[resourcequotas], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[resourcequotas], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[resourcequotas], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[resourcequotas/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[resourcequotas/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[resourcequotas/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[events], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[events], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[events], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[replicationcontrollers/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[replicationcontrollers/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[replicationcontrollers/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[resourcequotausages], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[resourcequotausages], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[resourcequotausages], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[minions], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[minions], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[minions], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[pods/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[pods/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[watch], APIGroups:[], Resources:[pods/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[imagestreams/layers], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[update], APIGroups:[], Resources:[imagestreams/layers], ResourceNames:[], Restrictions:<nil>}] user=&{acc-lae-admin.gen 6527a266-68fb-11e6-a01d-005056acedd5 [system:authenticated:oauth system:authenticated]} ownerrules=[PolicyRule{Verbs:[create delete deletecollection get list patch update watch], APIGroups:[], Resources:[configmaps endpoints persistentvolumeclaims pods pods/attach pods/exec pods/log pods/portforward pods/proxy replicationcontrollers replicationcontrollers/scale secrets serviceaccounts services services/proxy], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create delete deletecollection get list patch update watch], APIGroups:[], Resources:[buildconfigs buildconfigs/instantiate buildconfigs/instantiatebinary buildconfigs/webhooks buildlogs builds builds/clone builds/log deploymentconfigrollbacks deploymentconfigs deploymentconfigs/log deploymentconfigs/scale deployments generatedeploymentconfigs imagestreamimages imagestreamimports imagestreammappings imagestreams imagestreams/secrets imagestreamtags localresourceaccessreviews localsubjectaccessreviews processedtemplates projects resourceaccessreviews rolebindings roles routes subjectaccessreviews templateconfigs templates], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create delete deletecollection get list patch update watch], APIGroups:[autoscaling], Resources:[horizontalpodautoscalers], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create delete deletecollection get list patch update watch], APIGroups:[batch], Resources:[jobs], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create delete deletecollection get list patch update watch], APIGroups:[extensions], Resources:[horizontalpodautoscalers jobs replicationcontrollers/scale], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get list watch], APIGroups:[extensions], Resources:[daemonsets], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get list watch], APIGroups:[], Resources:[bindings configmaps endpoints events imagestreams/status limitranges minions namespaces namespaces/status nodes persistentvolumeclaims persistentvolumes pods pods/log pods/status policies policybindings replicationcontrollers replicationcontrollers/status resourcequotas resourcequotas/status resourcequotausages routes/status securitycontextconstraints serviceaccounts services], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get update], APIGroups:[], Resources:[imagestreams/layers], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[update], APIGroups:[], Resources:[routes/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[delete], APIGroups:[], Resources:[oauthaccesstokens oauthauthorizetokens], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[users], ResourceNames:[~], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[projectrequests], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get list], APIGroups:[], Resources:[clusterroles], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[projects], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create], APIGroups:[], Resources:[localsubjectaccessreviews subjectaccessreviews], ResourceNames:[], Restrictions:&{{ }}} PolicyRule{Verbs:[create], APIGroups:[], Resources:[projectrequests], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create delete update view], APIGroups:[], Resources:[limitranges resourcequotas], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create get], APIGroups:[], Resources:[buildconfigs/webhooks], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create], APIGroups:[], Resources:[builds/source], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[patch update], APIGroups:[], Resources:[namespaces], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create], APIGroups:[], Resources:[builds/custom], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create], APIGroups:[], Resources:[builds/docker], ResourceNames:[], Restrictions:<nil>}] ruleResolutionErrors=[]) Expected results: Either for both to succeed or both to fail. They are using "add-role-to-user" rather than "add-cluster-role-to-user", which might explain why one fails, but does not explain why the other succeeds. Additional info: Adding either works fine when the user adding them has cluster-admin privileges but not when they are, for instance, just a project admin. I am getting information on the user being used to test. Providing more details in following comments.
I haven't been able to reproduce the issue, but I'm pretty sure the issue is related to a sequence involving: 1. copying default roles from a version of OpenShift that did not include apiGroups in role definitions 2. upgrading OpenShift to a version that included apiGroups in role definitions 3. reconciling default roles and removing extra permissions