Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1510076

Summary: Unable to allow a service-account permissions to delete ANY project
Product: OpenShift Container Platform Reporter: Will Gordon <wgordon>
Component: apiserver-authAssignee: Simo Sorce <ssorce>
Status: CLOSED NOTABUG QA Contact: Chuan Yu <chuyu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: aos-bugs, mkhan
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-06 18:51:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Will Gordon 2017-11-06 16:31:18 UTC 
Description of problem:
Running `oc cluster up`, I have defined a ClusterRole [1] to allow `delete` of `projects` without any other restrictions.
Logged in as system:admin, I have performed:
- oc create -f delete-projects.json [1]
- oc create sa delete-admin
- oc adm add-cluster-role-to-user system:service:accounts:default:delete-admin
- oc adm policy who-can delete projects --all-namespaces  -> lists system:service:accounts:default:delete-admin
- oc login -u delete-admin -p $(oc sa get-token delete-admin)
- oc delete project myproject  -> F1106 11:23:27.217087    6342 helpers.go:119] Error from server (Forbidden): User "other-admin" cannot delete projects in project "myproject"

Version-Release number of selected component (if applicable):
Server https://127.0.0.1:8443
openshift v3.6.173.0.5
kubernetes v1.6.1+5115d708d7

How reproducible:
always

Steps to Reproduce:
see above

Actual results:
Failure to delete project

Expected results:
Successfully delete project

Additional info:

[1] http://pastebin.test.redhat.com/529688
Comment 1 Simo Sorce 2017-11-06 16:43:43 UTC 
please provide the output of
oc get serviceaccounts -o json
Comment 2 Will Gordon 2017-11-06 17:26:53 UTC 
{
    "apiVersion": "v1",
    "imagePullSecrets": [
        {
            "name": "delete-admin-dockercfg-553lq"
        }
    ],
    "kind": "ServiceAccount",
    "metadata": {
        "creationTimestamp": "2017-11-06T16:05:33Z",
        "name": "delete-admin",
        "namespace": "default",
        "resourceVersion": "1512",
        "selfLink": "/api/v1/namespaces/default/serviceaccounts/delete-admin",
        "uid": "516d04f9-c30c-11e7-a08a-6abe92e081f3"
    },
    "secrets": [
        {
            "name": "delete-admin-dockercfg-553lq"
        },
        {
            "name": "delete-admin-token-l1b05"
        }
    ]
}
Comment 3 Simo Sorce 2017-11-06 17:28:52 UTC 
also not that the proper command to add delete-admin to the cluster role is not:
oc adm add-cluster-role-to-user system:service:accounts:default:delete-admin

but it is:
oc adm policy add-cluster-role-to-user delete-projects -z delete-admin


This does not allow me to delete a project either though.
Comment 4 Will Gordon 2017-11-06 17:48:30 UTC 
WOW, when was -z added?! That's awesome! The docs still recommend system:serviceaccount:<project>:<sa-name>. [1]

https://docs.openshift.com/container-platform/3.6/dev_guide/service_accounts.html#dev-sa-user-names-and-groups
Comment 5 Mo 2017-11-06 18:46:09 UTC 
You are logging in as the SA incorrectly.  The correct way is:

> oc login --token=$(oc sa get-token SA_NAME -n SA_NAMESPACE)

This is clear from the error message:

> Error from server (Forbidden): User "other-admin" cannot ...

If you were logged in as the SA it would say:

> Error from server (Forbidden): User "system:serviceaccount:SA_NAMESPACE:SA_NAME" cannot ...

You can use `oc whoami` to tell what user you are logged in as.
Comment 6 Simo Sorce 2017-11-06 18:51:56 UTC 
Ok I have also reproduced and using:
> oc login --token=$(oc sa get-token delete-admin -n default)
> oc delete project myproject 
worked.
Closing NOTABUG
Comment 7 Will Gordon 2017-11-06 18:59:48 UTC 
Thanks! That did the trick!