Description of problem: When trying to fix bug 1373448 in cockpit (Should not show 'docker tag' and 'docker push' message on ImageStream page when user without push role), I noticed that it seems impossible to find out the roles of the currently logged in user if they are not an admin. It would be nice to not offer commands related to pushing images if the user only has a "registry-view" role and thus cannot actually push images (that's "registry-edit"). I read various documentation [1][2] and checked Google/Stackoverflow, to no avail. So this is at least a documentation issue, or possibly it's not currently allowed at all. See reproduction steps below for details. [1] https://docs.openshift.com/container-platform/3.4/architecture/core_concepts/projects_and_users.html [2] https://docs.openshift.com/container-platform/3.4/admin_solutions/user_role_mgmt.html Version-Release number of selected component (if applicable): # oc version oc v1.4.1+3f9807a kubernetes v1.4.0+776c994 features: Basic-Auth GSSAPI Kerberos SPNEGO Server https://10.111.112.101:8443 openshift v1.4.1+3f9807a kubernetes v1.4.0+776c994 How reproducible: Steps to Reproduce: 1. Log in as admin ("oc whoami" shows something like "system:admin"). 2. Create some project and switch to it: # oc project myproj 3. Create a user who is a registry-viewer and another one who is a registry-editor: # oadm policy add-role-to-user registry-viewer pulluser # oadm policy add-role-to-user registry-editor pushuser 4. Create/log in as pushuser: # printf "pushuser\nabc\n" | oc login 5. Try to find anything about your capabilities/roles: # oc get images No resources found. Error from server: User "pushuser" cannot list all images in the cluster # oc describe roleBindings Error from server: User "pushuser" cannot list rolebindings in project "myproj" # oc describe policyBindings :default Error from server: User "pushuser" cannot get policybindings in project "myproj" 6. The same happens for pulluser. Although that part would be okay, it'd be sufficient to have registry-editors be able to find out about their capabilities.
Have you looked at 'oc can-i' command? You should be able to figure out if users can push. AFAIK, registry-viewer/editor roles does not allow to list all images in the cluster (only cluster-admin can).
Indeed, "oc policy can-i update imagestreamimages" seems to do what I want. Many thanks for your help!