Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1423215

Summary: [RFE] rolebinding selector support
Product: OpenShift Container Platform Reporter: Takayoshi Kimura <tkimura>
Component: apiserver-authAssignee: Mo <mkhan>
Status: CLOSED ERRATA QA Contact: Chuan Yu <chuyu>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.4.0CC: aos-bugs, Dale.Richardson4, jokerman, mfojtik, mkhan, mmccomas, pweil, tdawson
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: A bug existed in how policies are listed internally when used to build role bindings. Consequence: Filtering of role bindings based on selectors did not work correctly. Fix: The internal listing of polices was updated to the correct behavior. Result: Filtering of role bindings based on selectors works as expected now.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-12 19:13:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Takayoshi Kimura 2017-02-17 03:12:10 UTC 
Description of problem:

Define a template with RoleBinding, everything labeled with app=foo. The following command is expected to delete everything, but RoleBinding won't get deleted.

$ oc delete all,sa,secrets,rolebinding ... -l app=foo

Template authors/users have to do extra steps to delete everything because of this behavior.

Version-Release number of selected component (if applicable):

3.4

How reproducible:

Always

Steps to Reproduce:
1. oc policy add-role-to-user registry-editor testuser
2. oc label rolebinding registry-editor app=foo
3. oc get rolebinding registry-editor -o yaml # label exists
4. oc delete rolebinding -l app=foo # No resources found
5. oc get rolebinding -l app=foo # No resources found

Actual results:

"No resources found" using selector

Expected results:

Able to get/delete using selector

Additional info:

RoleBinding is a kind of view object and the actual object is PolicyBinding. That is probably the reason we cannot apply selectors.

oc get policybinding -o yaml
Comment 3 Mo 2017-02-23 03:52:38 UTC 
This was fixed last month in https://github.com/openshift/origin/pull/12461



$ oc policy add-role-to-user registry-editor testuser
role "registry-editor" added: "testuser"

$ oc label rolebinding registry-editor app=foo
rolebinding "registry-editor" labeled

$ oc get rolebinding registry-editor -o yaml
apiVersion: v1
groupNames: null
kind: RoleBinding
metadata:
  creationTimestamp: 2017-02-23T03:44:49Z
  labels:
    app: foo
  name: registry-editor
  namespace: default
  resourceVersion: "439"
  selfLink: /oapi/v1/namespaces/default/rolebindings/registry-editor
  uid: 6d4b53b4-f97a-11e6-abb5-507b9dac97ff
roleRef:
  name: registry-editor
subjects:
- kind: User
  name: testuser
userNames:
- testuser

$ oc get rolebinding -l app=foo
NAME              ROLE               USERS      GROUPS    SERVICE ACCOUNTS   SUBJECTS
registry-editor   /registry-editor   testuser                                

$ oc delete rolebinding -l app=foo
rolebinding "registry-editor" deleted

$ oc get rolebinding -l app=foo
No resources found.
Comment 4 Takayoshi Kimura 2017-02-23 04:48:00 UTC 
Good to hear it's fixed.

This is product ticket, so I think just closing it is not the right process. We need a resolution for OpenShift 3.4, QE, doc, etc.

Can we backport this to 3.4 update?
Comment 5 Paul Weil 2017-02-23 15:18:46 UTC 
As this is not a critical breakage or security issue my current stance is that it does not require back porting and should be moved to ON_QA for 3.5 verification.

If a case can be made that this causes critical breakage with no acceptable work around then we can reconsider.
Comment 6 Dale Richardson 2017-02-24 00:04:11 UTC 
Hello, the bug-fix listed at https://github.com/openshift/origin/pull/12461 did not test for the delete use case, and had a comment from a tester that master tree post-merge still still did not support delete.  Can you add a test case for delete to confirm the correct behaviour?

Thanks,
Dale.
Comment 7 Mo 2017-02-24 00:12:36 UTC 
@Dale I confirmed the delete use case in comment 3

An extra test would not hurt of course.
Comment 8 Dale Richardson 2017-02-24 00:25:56 UTC 
Hi Mo,
Thanks for the response - was your test on the code fix branch, or the master branch post-merge?  I was a little bit curious given the comment about deletes not working post-merge.

Regards,
Dale.
Comment 9 Mo 2017-02-24 00:42:50 UTC 
Definitely a recent version of master.
Comment 10 Dale Richardson 2017-02-24 01:13:39 UTC 
Happy to wait for 3.5 to roll out.
Comment 11 Chuan Yu 2017-02-24 06:39:42 UTC 
Verified with latest 3.5 puddle,
# openshift version
openshift v3.5.0.33
kubernetes v1.5.2+43a9be4
etcd 3.1.0

Here is my step:
$ oc policy add-role-to-user registry-editor testuser
role "registry-editor" added: "testuser"

$ oc label rolebinding registry-editor app=foo
rolebinding "registry-editor" labeled

$ oc get rolebinding registry-editor -o yaml
  rolebinding with label app=foo

$ oc get rolebinding -l app=foo
NAME              ROLE               USERS      GROUPS    SERVICE ACCOUNTS   SUBJECTS
registry-editor   /registry-editor   testuser 
                               
$ oc delete rolebinding -l app=foo
rolebinding "registry-editor" deleted

$ oc get rolebinding -l app=foo
No resources found.
Comment 13 errata-xmlrpc 2017-04-12 19:13:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0884