Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1423215 - [RFE] rolebinding selector support
[RFE] rolebinding selector support
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Auth (Show other bugs)
3.4.0
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Mo
Chuan Yu
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-02-16 22:12 EST by Takayoshi Kimura
Modified: 2017-07-24 10 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: A bug existed in how policies are listed internally when used to build role bindings. Consequence: Filtering of role bindings based on selectors did not work correctly. Fix: The internal listing of polices was updated to the correct behavior. Result: Filtering of role bindings based on selectors works as expected now.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-04-12 15:13:16 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0884 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.5 RPM Release Advisory 2017-04-12 18:50:07 EDT

  None (edit)
Description Takayoshi Kimura 2017-02-16 22:12:10 EST 
Description of problem:

Define a template with RoleBinding, everything labeled with app=foo. The following command is expected to delete everything, but RoleBinding won't get deleted.

$ oc delete all,sa,secrets,rolebinding ... -l app=foo

Template authors/users have to do extra steps to delete everything because of this behavior.

Version-Release number of selected component (if applicable):

3.4

How reproducible:

Always

Steps to Reproduce:
1. oc policy add-role-to-user registry-editor testuser
2. oc label rolebinding registry-editor app=foo
3. oc get rolebinding registry-editor -o yaml # label exists
4. oc delete rolebinding -l app=foo # No resources found
5. oc get rolebinding -l app=foo # No resources found

Actual results:

"No resources found" using selector

Expected results:

Able to get/delete using selector

Additional info:

RoleBinding is a kind of view object and the actual object is PolicyBinding. That is probably the reason we cannot apply selectors.

oc get policybinding -o yaml
Comment 3 Mo 2017-02-22 22:52:38 EST 
This was fixed last month in https://github.com/openshift/origin/pull/12461



$ oc policy add-role-to-user registry-editor testuser
role "registry-editor" added: "testuser"

$ oc label rolebinding registry-editor app=foo
rolebinding "registry-editor" labeled

$ oc get rolebinding registry-editor -o yaml
apiVersion: v1
groupNames: null
kind: RoleBinding
metadata:
  creationTimestamp: 2017-02-23T03:44:49Z
  labels:
    app: foo
  name: registry-editor
  namespace: default
  resourceVersion: "439"
  selfLink: /oapi/v1/namespaces/default/rolebindings/registry-editor
  uid: 6d4b53b4-f97a-11e6-abb5-507b9dac97ff
roleRef:
  name: registry-editor
subjects:
- kind: User
  name: testuser
userNames:
- testuser

$ oc get rolebinding -l app=foo
NAME              ROLE               USERS      GROUPS    SERVICE ACCOUNTS   SUBJECTS
registry-editor   /registry-editor   testuser                                

$ oc delete rolebinding -l app=foo
rolebinding "registry-editor" deleted

$ oc get rolebinding -l app=foo
No resources found.
Comment 4 Takayoshi Kimura 2017-02-22 23:48:00 EST 
Good to hear it's fixed.

This is product ticket, so I think just closing it is not the right process. We need a resolution for OpenShift 3.4, QE, doc, etc.

Can we backport this to 3.4 update?
Comment 5 Paul Weil 2017-02-23 10:18:46 EST 
As this is not a critical breakage or security issue my current stance is that it does not require back porting and should be moved to ON_QA for 3.5 verification.

If a case can be made that this causes critical breakage with no acceptable work around then we can reconsider.
Comment 6 Dale Richardson 2017-02-23 19:04:11 EST 
Hello, the bug-fix listed at https://github.com/openshift/origin/pull/12461 did not test for the delete use case, and had a comment from a tester that master tree post-merge still still did not support delete.  Can you add a test case for delete to confirm the correct behaviour?

Thanks,
Dale.
Comment 7 Mo 2017-02-23 19:12:36 EST 
@Dale I confirmed the delete use case in comment 3

An extra test would not hurt of course.
Comment 8 Dale Richardson 2017-02-23 19:25:56 EST 
Hi Mo,
Thanks for the response - was your test on the code fix branch, or the master branch post-merge?  I was a little bit curious given the comment about deletes not working post-merge.

Regards,
Dale.
Comment 9 Mo 2017-02-23 19:42:50 EST 
Definitely a recent version of master.
Comment 10 Dale Richardson 2017-02-23 20:13:39 EST 
Happy to wait for 3.5 to roll out.
Comment 11 Chuan Yu 2017-02-24 01:39:42 EST 
Verified with latest 3.5 puddle,
# openshift version
openshift v3.5.0.33
kubernetes v1.5.2+43a9be4
etcd 3.1.0

Here is my step:
$ oc policy add-role-to-user registry-editor testuser
role "registry-editor" added: "testuser"

$ oc label rolebinding registry-editor app=foo
rolebinding "registry-editor" labeled

$ oc get rolebinding registry-editor -o yaml
  rolebinding with label app=foo

$ oc get rolebinding -l app=foo
NAME              ROLE               USERS      GROUPS    SERVICE ACCOUNTS   SUBJECTS
registry-editor   /registry-editor   testuser 
                               
$ oc delete rolebinding -l app=foo
rolebinding "registry-editor" deleted

$ oc get rolebinding -l app=foo
No resources found.
Comment 13 errata-xmlrpc 2017-04-12 15:13:16 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0884
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.