Bug 1467292 - The detailed user names are not listed when describing clusterPolicyBindings
The detailed user names are not listed when describing clusterPolicyBindings
Product: OpenShift Container Platform
Classification: Red Hat
Component: Auth (Show other bugs)
Unspecified Unspecified
low Severity low
: ---
: ---
Assigned To: Jordan Liggitt
Chuan Yu
Depends On:
  Show dependency treegraph
Reported: 2017-07-03 06:17 EDT by Xia Zhao
Modified: 2017-07-10 22:46 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-07-10 17:38:33 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Xia Zhao 2017-07-03 06:17:08 EDT
Description of problem:
The detailed user names are not listed when describing clusterPolicyBindings

Version-Release number of selected component (if applicable):
# openshift version
openshift v3.6.131
kubernetes v1.6.1+5115d708d7
etcd 3.2.1

How reproducible:

Steps to Reproduce:
1. For "oadm policy add-cluster-role-to-group" scenario:
# oadm groups new testing
# oadm groups add-users testing testing-admin
# oadm policy add-cluster-role-to-group cluster-admin testing
 # oc describe clusterPolicyBindings :default | grep 'RoleBinding\[cluster-admin\]' -A 5
2. For "oadm policy add-cluster-role-to-user" scenario:
# oadm policy add-cluster-role-to-user cluster-admin xiazhao
# oc describe clusterPolicyBindings :default | grep 'RoleBinding\[cluster-admin\]' -A 5

Actual results:
The detailed user names are not listed when describing clusterPolicyBindings:
 # oc describe clusterPolicyBindings :default | grep 'RoleBinding\[cluster-admin\]' -A 5
                                            Role:            cluster-admin
                                            Users:            <none>
                                            Groups:            system:masters, testing
                                            ServiceAccounts:    <none>
                                            Subjects:        <none>

Expected results:
Should list the detailed group user names when describing clusterPolicyBindings, like this:
                                            Role:            cluster-admin
                                            Users:           testing-admin, xiazhao
                                            Groups:            system:masters, testing

Additional info:
The group names are listed
Comment 1 Jordan Liggitt 2017-07-10 17:38:33 EDT
Members of groups are not expanded/materialized in role bindings
Comment 2 Xia Zhao 2017-07-10 21:58:28 EDT
@jliggitt May I know what is the reason? Since it's confusing that openshift knows which user belong to which group, but still populate an empty user list in this command line which seemed inconvenience to customer.
Comment 3 Jordan Liggitt 2017-07-10 22:46:41 EDT
When a role is bound to a group, it is inaccurate to display it as being bound to a user that is a member of that group.

Also, other users could be members of that group (for example, x509-certificate-based users whose group information is in the x509 certificate, not in the Group API object)

Note You need to log in before you can comment on or make changes to this bug.