1425398 – [Auth] Issues for option -z supported for long service account name in the oc policy command

Bug 1425398 - [Auth] Issues for option -z supported for long service account name in the oc policy command

Summary: [Auth] Issues for option -z supported for long service account name in the oc...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	oc
Sub Component:
Version:	3.5.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	low
Target Milestone:	---
Target Release:	3.7.0
Assignee:	Maciej Szulik
QA Contact:	Xingxing Xia
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-02-21 10:40 UTC by Chuan Yu
Modified:	2019-11-21 18:38 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: Service Account names where not properly validated. Consequence: Command was failing when invoked with long SA name. Fix: Properly validate long SA names. Result: oc policy command is returning error when using long SA name.
Clone Of:
Environment:
Last Closed:	2019-11-21 18:38:08 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Chuan Yu 2017-02-21 10:40:10 UTC

Description of problem:
There are issues for option -z supported for long service account name in the 'oc policy' command

Version-Release number of selected component (if applicable):
# openshift version
openshift v3.5.0.32-1+4f84c83
kubernetes v1.5.2+43a9be4
etcd 3.1.0

How reproducible:
always

Steps to Reproduce:
1.run command to the project admin permission to the service account, service account name use long name, such as 'oc policy add-role-to-user admin -z system:serviceaccount:test:default -n test'
2.run command to the project admin permission to the service account, service account name use long name, but set the namespace name different with the -n option,such as 'oc policy add-role-to-user admin -z system:serviceaccount:abc:default -n test'
3.

Actual results:
1.the service account system:serviceaccount:test:default still don't have project admin permission as the setting.
2.no error report

Expected results:
1.login by the service accout system:serviceaccount:test:default, and should have admin permission for the test project
2.error should be reported for the mix&match issue with -n and sa.

Additional info:

Comment 1 Mo 2017-02-23 04:10:13 UTC

IMHO this is not a bug.  Per the docs:

-z, --serviceaccount=[]: service account in the current namespace to use as a user

Thus -z always refers to SAs in the current namespace.  Therefore specifying the long name is invalid as that is just a construct used to refer to arbitrary SAs from cluster scope.

Comment 2 Paul Weil 2017-02-23 13:02:36 UTC

Agreed that -z is meant to be for the service account in the current namespace as per the doc and is not meant to accept the long form or reference a non-current namespace.

Comment 3 Chuan Yu 2017-02-24 02:59:17 UTC

If the -z not accept the long form naming, then the command should raise error when use it.

Comment 4 Juan Vallejo 2017-10-26 21:00:56 UTC

Origin PR: https://github.com/openshift/origin/pull/17061

Comment 5 openshift-github-bot 2017-10-30 19:21:01 UTC

Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/d70ebd6f21d8e601ebaa6111842e76d47d248903
return error on long-form or invalid sa name

bug: 1425398
Returns an error when the long-form name of a ServiceAccount is used
with the --serviceaccount (-z) flag in `oc policy ...' commands, or
if the name given is invalid.

Comment 6 Chuan Yu 2017-11-03 08:24:32 UTC

Verified.
# openshift version
openshift v3.7.0-0.190.0
kubernetes v1.7.6+a08f5eeb62
etcd 3.2.8

Note You need to log in before you can comment on or make changes to this bug.