Bug 1512807 - Able to remove a cluster role from a user for all projects, when the user doesn't exits.
Summary: Able to remove a cluster role from a user for all projects, when the user doe...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 3.6.0
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
: ---
Assignee: Fabiano Franz
QA Contact: Xingxing Xia
URL:
Whiteboard:
: 1540083 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-14 07:23 UTC by Iswarya
Modified: 2018-01-30 14:41 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-14 14:32:03 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
The attached file contains steps to reproduce the problem (9.32 KB, image/png)
2017-11-14 07:23 UTC, Iswarya
no flags Details

Description Iswarya 2017-11-14 07:23:38 UTC
Created attachment 1351820 [details]
The attached file contains steps to reproduce the problem

Description of problem: When user executes the command “oadm policy remove-cluster-role-from-user <role> <user_name>”
to remove a cluster-role from a user for all projects where the user doesn't exits, the command executes successfully without throwing any error "user doesn't exit".

For example:- 
[root@openshift1 ~]# oc get users
NAME      UID                                    FULL NAME   IDENTITIES
admin     e78f3595-c08f-11e7-812d-005056a37c8d               htpasswd_auth:admin
user1     97c39287-c3d2-11e7-b582-005056a37c8d               htpasswd_auth:user1

[root@openshift1 ~]# oadm policy remove-cluster-role-from-user view new
cluster role "view" removed: "new"

when we list user, there is no user "new", but i am able to remove a policy from the user which is doesn't exits.



Version-Release number of selected component (if applicable): atomic-openshift-utils-3.6.173.0.48-1.git.0.1609d30.el7.noarch



How reproducible:


Steps to Reproduce:
1. login to openshift
2. Check the user list by using the command "oc get users"
3. run command "oadm policy remove-cluster-role-from-user view new"
  
   

Actual results: cluster role "view" removed: "new"



Expected results: "new" user doesn't exits


Additional info:

Comment 1 Juan Vallejo 2017-11-14 14:32:03 UTC
Tagging Mo for confirmation, but I'm pretty sure this is how this command is meant to work - not a bug.

There is a PR [1] currently open that aims to provide some feedback to the user when a role was either already bound (or the user did not exist or the role was not already bound to it), but again, not as an error from the command.

1. https://github.com/openshift/origin/pull/17249

Comment 2 Mo 2017-11-29 04:23:52 UTC
This is the expected behavior.  These commands are meant to be order independent and must not care if a user exists.  A user can be purely virtual or created at a later date.  Most users cannot list users anyway, so there is no way to provide this feedback to them.

Comment 3 Bhavani CR 2017-12-20 07:13:21 UTC
(In reply to Mo from comment #2)
> This is the expected behavior.  These commands are meant to be order
> independent and must not care if a user exists.  A user can be purely
> virtual or created at a later date.  Most users cannot list users anyway, so
> there is no way to provide this feedback to them.

Hi Mo,

As you mentioned that the user can be created later after creating the role. But if I create a user after creating a role,the role is not been added to that user.

Comment 4 Mo 2018-01-02 17:26:31 UTC
(In reply to Bhavani CR from comment #3)
> (In reply to Mo from comment #2)
> > This is the expected behavior.  These commands are meant to be order
> > independent and must not care if a user exists.  A user can be purely
> > virtual or created at a later date.  Most users cannot list users anyway, so
> > there is no way to provide this feedback to them.
> 
> Hi Mo,
> 
> As you mentioned that the user can be created later after creating the role.
> But if I create a user after creating a role,the role is not been added to
> that user.

Please provide the set of steps needed to reproduce the behavior you are seeing.

Comment 5 Bhavani CR 2018-01-04 09:45:29 UTC
steps:

1. create a role even though there is no user by using command: oc policy add-role-to-user admin user1

2. verify the role that has been added to the user by using command:  oc get rolebindings

3. create a user with the same name called user1 by using the command:oc create user user1

As per the creation of roles user1 has admin role but user1 works as a basic-user

Comment 6 Mo 2018-01-08 20:35:25 UTC
(In reply to Bhavani CR from comment #5)
> steps:
> 
> 1. create a role even though there is no user by using command: oc policy
> add-role-to-user admin user1
> 
> 2. verify the role that has been added to the user by using command:  oc get
> rolebindings
> 
> 3. create a user with the same name called user1 by using the command:oc
> create user user1
> 
> As per the creation of roles user1 has admin role but user1 works as a
> basic-user

You example lacks any auth checks, so I cannot determine what issue you are seeing.

The following example demonstrates how a user does not need to exist at all for this process to work:



$ oc login -u system:admin
Logged into "https://...:8443" as "system:admin" using existing credentials.


$ oc new-project foobar
Now using project "foobar" on server "https://...:8443".

You can add applications to this project with the 'new-app' command. For example, try:

    oc new-app centos/ruby-22-centos7~https://github.com/openshift/ruby-ex.git

to build a new example application in Ruby.


$ oc get user user1
Error from server (NotFound): users "user1" not found


$ oc policy can-i update role --as=user1 -o yaml
no


$ oc policy add-role-to-user admin user1
role "admin" added: "user1"


$ oc get rolebinding admin 
NAME      ROLE      USERS                 GROUPS    SERVICE ACCOUNTS   SUBJECTS
admin     /admin    system:admin, user1                                


$ oc policy can-i update role --as=user1
yes


$ oc policy remove-role-from-user admin user1
role "admin" removed: "user1"


$ oc get rolebinding admin
NAME      ROLE      USERS          GROUPS    SERVICE ACCOUNTS   SUBJECTS
admin     /admin    system:admin


$ oc policy can-i update role --as=user1 -o yaml
no

Comment 7 Juan Vallejo 2018-01-30 14:41:57 UTC
*** Bug 1540083 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.