This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1463043 - Unable to add view role to second user in project
Unable to add view role to second user in project
Status: CLOSED NOTABUG
Product: OpenShift Online
Classification: Red Hat
Component: Auth (Show other bugs)
3.x
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Jordan Liggitt
Chuan Yu
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-19 22:01 EDT by Chris Ryan
Modified: 2017-06-19 22:22 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-06-19 22:22:42 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chris Ryan 2017-06-19 22:01:08 EDT
Description of problem:
Granting a second user 'view' permissions in a project is forbidden

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Create a project
2. Create an application from the web console, i.e. https://github.com/openshift/nodejs-ex.git
3. Wait until the service is ready and the nodejs-sample-1 build have completed
4. Add the view role to the second user:
oc policy add-role-to-user view user2

Actual results:
Error from server (Forbidden): rolebindings "view" is forbidden: rolebindings to User "user2" are not allowed in project "v2w5c"

Expected results:
The user2 user could be granted view permissions

Additional info:
Comment 2 Chuan Yu 2017-06-19 22:15:12 EDT
Would you please get the output 'oc get rolebindingrestriction' in you project?
Comment 3 Jordan Liggitt 2017-06-19 22:15:22 EDT
Are RoleBindingRestrictions being used in this environment?

https://github.com/openshift/openshift-docs/blob/master/admin_solutions/user_role_mgmt.adoc#role-binding-restriction
Comment 5 Jordan Liggitt 2017-06-19 22:22:42 EDT
so, the default in that environment is that you can only grant access to serviceaccounts in that project, not to other users

Note You need to log in before you can comment on or make changes to this bug.