Bug 1472743 - Output of `oc describe sc` should be enhanced
Output of `oc describe sc` should be enhanced
Status: CLOSED CURRENTRELEASE
Product: OpenShift Container Platform
Classification: Red Hat
Component: Storage (Show other bugs)
3.6.0
Unspecified Unspecified
unspecified Severity low
: ---
: 3.7.0
Assigned To: Tomas Smetana
Jianwei Hou
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-19 06:15 EDT by chaoyang
Modified: 2018-01-16 02:14 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-01-16 02:14:14 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description chaoyang 2017-07-19 06:15:09 EDT
Description of problem:
Output of `oc describe sc` should be enhanced
Version-Release number of selected component (if applicable):
oc v3.6.153
kubernetes v1.6.1+5115d708d7
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://ip-172-18-8-234.ec2.internal:8443
openshift v3.6.153
kubernetes v1.6.1+5115d708d7


How reproducible:
Always

Steps to Reproduce:
1.login to ocp as normal user
2.oc get sc
NAME      TYPE
foo       kubernetes.io/aws-ebs 
3.oc describe sc foo
Error from server (Forbidden): User "chaoyang" cannot list all events in the cluster


Actual results:
The output is Error from server (Forbidden): User "chaoyang" cannot list all events in the cluster


Expected results:
The output should like Error from server (Forbidden): User "chaoyang" cannot list storageclasses.storage.k8s.io at the cluster scope

Master Log:

Node Log (of failed PODs):

PV Dump:

PVC Dump:

StorageClass Dump (if StorageClass used by PV/PVC):

Additional info:
oc describe pv regpv-volume
Error from server (Forbidden): User "chaoyang" cannot get persistentvolumes at the cluster scope
Comment 1 Jan Safranek 2017-07-24 07:28:04 EDT
> oc describe pv regpv-volume
> Error from server (Forbidden): User "chaoyang" cannot get persistentvolumes at the cluster scope

This is expected, users can't see PersistentVolumes

> oc describe sc foo
> Error from server (Forbidden): User "chaoyang" cannot list all events in the cluster

This is a bug
Comment 2 Jan Safranek 2017-07-24 07:45:43 EDT
How did you create your "chaoyang" user? What role bindings it has?
Comment 4 Tomas Smetana 2018-01-15 09:08:41 EST
Tested with latest origin.

The basic-user ClusterRole is allowed to list and describe StorageClasses by default and even if I manually remove the corresponding API access from basic-user I get the following error:

[tsmetana@openlmi yaml]$ oc describe sc foo
Error from server (Forbidden): storageclasses.storage.k8s.io "foo" is forbidden: User "tsmetana" cannot get storageclasses.storage.k8s.io at the cluster scope: User "tsmetana" cannot get storageclasses.storage.k8s.io at the cluster scope

Looks like the error message now describes the error quite correctly. If you agree I would close this bug.
Comment 5 chaoyang 2018-01-16 01:10:55 EST
Yes, please close this bug.

Note You need to log in before you can comment on or make changes to this bug.