Created attachment 1351820 [details] The attached file contains steps to reproduce the problem Description of problem: When user executes the command “oadm policy remove-cluster-role-from-user <role> <user_name>” to remove a cluster-role from a user for all projects where the user doesn't exits, the command executes successfully without throwing any error "user doesn't exit". For example:- [root@openshift1 ~]# oc get users NAME UID FULL NAME IDENTITIES admin e78f3595-c08f-11e7-812d-005056a37c8d htpasswd_auth:admin user1 97c39287-c3d2-11e7-b582-005056a37c8d htpasswd_auth:user1 [root@openshift1 ~]# oadm policy remove-cluster-role-from-user view new cluster role "view" removed: "new" when we list user, there is no user "new", but i am able to remove a policy from the user which is doesn't exits. Version-Release number of selected component (if applicable): atomic-openshift-utils-3.6.173.0.48-1.git.0.1609d30.el7.noarch How reproducible: Steps to Reproduce: 1. login to openshift 2. Check the user list by using the command "oc get users" 3. run command "oadm policy remove-cluster-role-from-user view new" Actual results: cluster role "view" removed: "new" Expected results: "new" user doesn't exits Additional info:
Tagging Mo for confirmation, but I'm pretty sure this is how this command is meant to work - not a bug. There is a PR [1] currently open that aims to provide some feedback to the user when a role was either already bound (or the user did not exist or the role was not already bound to it), but again, not as an error from the command. 1. https://github.com/openshift/origin/pull/17249
This is the expected behavior. These commands are meant to be order independent and must not care if a user exists. A user can be purely virtual or created at a later date. Most users cannot list users anyway, so there is no way to provide this feedback to them.
(In reply to Mo from comment #2) > This is the expected behavior. These commands are meant to be order > independent and must not care if a user exists. A user can be purely > virtual or created at a later date. Most users cannot list users anyway, so > there is no way to provide this feedback to them. Hi Mo, As you mentioned that the user can be created later after creating the role. But if I create a user after creating a role,the role is not been added to that user.
(In reply to Bhavani CR from comment #3) > (In reply to Mo from comment #2) > > This is the expected behavior. These commands are meant to be order > > independent and must not care if a user exists. A user can be purely > > virtual or created at a later date. Most users cannot list users anyway, so > > there is no way to provide this feedback to them. > > Hi Mo, > > As you mentioned that the user can be created later after creating the role. > But if I create a user after creating a role,the role is not been added to > that user. Please provide the set of steps needed to reproduce the behavior you are seeing.
steps: 1. create a role even though there is no user by using command: oc policy add-role-to-user admin user1 2. verify the role that has been added to the user by using command: oc get rolebindings 3. create a user with the same name called user1 by using the command:oc create user user1 As per the creation of roles user1 has admin role but user1 works as a basic-user
(In reply to Bhavani CR from comment #5) > steps: > > 1. create a role even though there is no user by using command: oc policy > add-role-to-user admin user1 > > 2. verify the role that has been added to the user by using command: oc get > rolebindings > > 3. create a user with the same name called user1 by using the command:oc > create user user1 > > As per the creation of roles user1 has admin role but user1 works as a > basic-user You example lacks any auth checks, so I cannot determine what issue you are seeing. The following example demonstrates how a user does not need to exist at all for this process to work: $ oc login -u system:admin Logged into "https://...:8443" as "system:admin" using existing credentials. $ oc new-project foobar Now using project "foobar" on server "https://...:8443". You can add applications to this project with the 'new-app' command. For example, try: oc new-app centos/ruby-22-centos7~https://github.com/openshift/ruby-ex.git to build a new example application in Ruby. $ oc get user user1 Error from server (NotFound): users "user1" not found $ oc policy can-i update role --as=user1 -o yaml no $ oc policy add-role-to-user admin user1 role "admin" added: "user1" $ oc get rolebinding admin NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS admin /admin system:admin, user1 $ oc policy can-i update role --as=user1 yes $ oc policy remove-role-from-user admin user1 role "admin" removed: "user1" $ oc get rolebinding admin NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS admin /admin system:admin $ oc policy can-i update role --as=user1 -o yaml no
*** Bug 1540083 has been marked as a duplicate of this bug. ***