Description of problem: The detailed user names are not listed when describing clusterPolicyBindings Version-Release number of selected component (if applicable): # openshift version openshift v3.6.131 kubernetes v1.6.1+5115d708d7 etcd 3.2.1 How reproducible: Always Steps to Reproduce: 1. For "oadm policy add-cluster-role-to-group" scenario: # oadm groups new testing NAME USERS testing # oadm groups add-users testing testing-admin # oadm policy add-cluster-role-to-group cluster-admin testing # oc describe clusterPolicyBindings :default | grep 'RoleBinding\[cluster-admin\]' -A 5 2. For "oadm policy add-cluster-role-to-user" scenario: # oadm policy add-cluster-role-to-user cluster-admin xiazhao # oc describe clusterPolicyBindings :default | grep 'RoleBinding\[cluster-admin\]' -A 5 Actual results: The detailed user names are not listed when describing clusterPolicyBindings: # oc describe clusterPolicyBindings :default | grep 'RoleBinding\[cluster-admin\]' -A 5 RoleBinding[cluster-admin]: Role: cluster-admin Users: <none> Groups: system:masters, testing ServiceAccounts: <none> Subjects: <none> Expected results: Should list the detailed group user names when describing clusterPolicyBindings, like this: RoleBinding[cluster-admin]: Role: cluster-admin Users: testing-admin, xiazhao Groups: system:masters, testing ... Additional info: The group names are listed
Members of groups are not expanded/materialized in role bindings
@jliggitt May I know what is the reason? Since it's confusing that openshift knows which user belong to which group, but still populate an empty user list in this command line which seemed inconvenience to customer.
When a role is bound to a group, it is inaccurate to display it as being bound to a user that is a member of that group. Also, other users could be members of that group (for example, x509-certificate-based users whose group information is in the x509 certificate, not in the Group API object)