Bug 1507730 - Bug of Delete ServiceAccount Rolebinding from WebUI
Summary: Bug of Delete ServiceAccount Rolebinding from WebUI
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 3.5.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 3.7.0
Assignee: bpeterse
QA Contact: Yadan Pei
Depends On:
TreeView+ depends on / blocked
Reported: 2017-10-31 02:45 UTC by wangzhida
Modified: 2020-12-14 10:43 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Previously, deleting a service account would ignore the SAs namespace. This means that the delete action from the web UI could delete multiple service account rolebindings under the service account tab if service accounts from different namespaces had the same name. Consequence: Additional rolebindings could be deleted, requiring the user to recreate them. Fix: The delete action on the SA tab will now respect the namespace and only delete the specified SA rolebinding from the correct namespace. Result: The bug is fixed.
Clone Of:
Last Closed: 2017-11-28 22:20:29 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3188 0 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update 2017-11-29 02:34:54 UTC

Description wangzhida 2017-10-31 02:45:05 UTC
Created attachment 1345694 [details]
operations provided from customer, please do not share outside Red hat

Description of problem:
- This is a issue when delete a serviceaccount rolebinding from a project via webUI. An project contains two role binding with same SA name but different namespace such as: pro1/test . pro2/test and binding to same role (etc. view), if i delete one of the two, another one will also be deleted. However delete via oc command is normal. 

Version-Release number of selected component (if applicable):
- report the issue in 3.5 from customer and can be repo in 3.6 too. 

How reproducible:
- refer to below steps

Steps to Reproduce:
1. Login Web UI and Create two projects (etc: pro1 . pro2)
2. Located to "project--resourse--membership--service account"
3. Add two rolebindings to this project (etc:  pro1/default->view . pro2/default->view) and click"done editing"
4. Re-edit the setting and delete one of above two and find another one has also been deleted

Actual results:
- delete one any and find another one has also been deleted (etc delete pro1/default then pro2/default will be disappeared too)

Expected results:
- delete one service account role binding should not affect the others

Additional info:
- this issue can be repo no mater what the serviceaccount/role is.
- delete rolebinding via oc command doesn't have this issue:
  $oadm policy remove-role-from-user <role> system:serviceaccount:<project>:<serviceaccount>

Comment 1 Jakub Hadvig 2017-10-31 08:58:47 UTC
I can confirm that this issue hits the master as well

Comment 2 bpeterse 2017-10-31 19:36:29 UTC
PR opened to address this:

Comment 4 Yadan Pei 2017-11-03 06:30:30 UTC
Checked on v3.7.0-0.190.0

Delete ServiceAccount rolebinding will not affect each other and issue described is fixed.


Comment 8 errata-xmlrpc 2017-11-28 22:20:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.