Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1426118

Summary: Web should not add user to rolebinding again if the user is already in it
Product: OpenShift Container Platform Reporter: Yanping Zhang <yanpzhan>
Component: Management ConsoleAssignee: bpeterse
Status: CLOSED CURRENTRELEASE QA Contact: Yadan Pei <yapei>
Severity: low Docs Contact:
Priority: medium    
Version: 3.5.0CC: aos-bugs, bpeterse, jforrest, jokerman, mmccomas, spadgett, xiaocwan, xxia, yapei
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of: 1388060 Environment:
Last Closed: 2017-05-22 20:02:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yanping Zhang 2017-02-23 08:57:37 UTC 
This bug is reproduced on openshift v3.5.0.32-1+4f84c83

+++ This bug was initially created as a clone of Bug #1388060 +++

Description of problem:
Web should not add user to rolebinding again if the user is already in it

Version-Release number of selected component (if applicable):
v3.4.0.14

How reproducible:
Always

Steps to Reproduce:
1. Login to web console, create project
2. Go to "Resources" -> "Membership", click "Edit Membership"
3.
1> Add role to user: input user name "bob", select "view", click "Add"
2> Then check rolebinding in CLI:
$ oc get rolebinding view

4. Do step 3 again.

Actual results:
3.
2> It shows:
view                    /view                      bob

4. 
2> It adds bob twice and shows:
view                    /view                      bob, bob

Expected results:
4.
2> Should not add bob again into the rolebinding. Because:
A. If step 4 is done via CLI `oc policy add-role-to-user view bob`, bob is not added again.
B. https://github.com/openshift/origin-web-console/pull/562#issue-178108708 says it: "On add, check for duplicates,do not add a user/group/etc to a rolebinding if already present in the specified rolebinding"

Additional info:

--- Additional comment from  on 2016-11-02 04:36:09 CST ---

PR open for this https://github.com/openshift/origin-web-console/pull/788

--- Additional comment from Jessica Forrester on 2016-11-08 22:44:56 CST ---

This was fixed

--- Additional comment from Xingxing Xia on 2016-11-09 10:26:35 CST ---

Verified in openshift v3.4.0.23+24b1a58. Now duplicate adding is checked and will prompt message: the role is already granted to user.
I'd like to move to VERIFIED (skip the ON_QA status)
Thank you :)
Comment 1 bpeterse 2017-02-23 14:41:27 UTC 
Looking at this.  Off the top of my head its probably <project1> bob, <project2> bob, from adding the namespace picker for service accounts, but not dropping the namespace for users.
Comment 2 bpeterse 2017-02-23 15:37:16 UTC 
PR open https://github.com/openshift/origin-web-console/pull/1295
Comment 3 openshift-github-bot 2017-02-23 16:41:49 UTC 
Commit pushed to master at https://github.com/openshift/origin-web-console

https://github.com/openshift/origin-web-console/commit/07f75c4732c581b6ce09baa51e19e461aee09ac7
Fix bug 1426118, ignore namespace except for service account
Comment 4 XiaochuanWang 2017-05-10 02:12:09 UTC 
Verified on:
oc                    v3.5.5.13
OpenShift Master:     v3.5.5.13
Kubernetes Master:    v1.5.2+43a9be4 

Web console will pop up message 'The role "view" has already been granted to "test"' when add same role to the user again.

From oc:
# oc get rolebinding view 
NAME      ROLE      USERS     GROUPS    SERVICE ACCOUNTS   SUBJECTS
view      /view     user1