Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1519314

Summary: User XXX cannot list authorization.openshift.io.rolebindings in project "XXX"
Product: OpenShift Container Platform Reporter: Luiz Carvalho <lucarval>
Component: ocAssignee: Mo <mkhan>
Status: CLOSED DUPLICATE QA Contact: Xingxing Xia <xxia>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.7.0CC: akostadi, aos-bugs, jokerman, jvallejo, mifiedle, mkhan, mmccomas
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-01 00:35:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Luiz Carvalho 2017-11-30 15:19:58 UTC 
Description of problem:
Cannot add role to service account with oc v3.7.9

$ oc policy add-role-to-user registry-admin -z jian
Error from server (Forbidden): User "jiazha" cannot list authorization.openshift.io.rolebindings in project "asb-apb"

$ oc version
oc v3.7.9
kubernetes v1.7.6+a08f5eeb62
features: Basic-Auth GSSAPI Kerberos SPNEGO
Server https://registry-console.engineering.redhat.com:8443
openshift v3.4.1.7
kubernetes v1.4.0+776c994

Version-Release number of selected component (if applicable):
v3.7.9


How reproducible:
Always


Steps to Reproduce:
1. Create service account
2. add "registry-admin" role to service account

Actual results:
Error from server (Forbidden): User "jiazha" cannot list authorization.openshift.io.rolebindings in project "asb-apb"

Expected results:
Expected role to be added to service account.

Additional info:
This was seen when using oc 3.7 on a 3.4 cluster.

The command with oc v3.4 and oc v3.6 against the same 3.4 cluster
works just fine.

Full Output:
[jzhang@dhcp-141-95 Downloads]$ oc project asb-apb
Now using project "asb-apb" on server "https://registry-console.engineering.redhat.com:8443".

[jzhang@dhcp-141-95 Downloads]$ oc get rolebinding
NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS
registry-viewer /registry-viewer system:unauthenticated 
system:deployers /system:deployer deployer 
system:image-builders /system:image-builder builder 
system:image-pullers /system:image-puller system:serviceaccounts:asb-apb 
admin /admin jiazha 
registry-admin /registry-admin jiazha 

[jzhang@dhcp-141-95 Downloads]$ oc create sa jian
serviceaccount "jian" created

[jzhang@dhcp-141-95 Downloads]$ oc get sa
NAME SECRETS AGE
builder 2 2m
default 2 2m
deployer 2 2m
jian 2 7s

[jzhang@dhcp-141-95 Downloads]$ oc policy add-role-to-user registry-admin -z jian
Error from server (Forbidden): User "jiazha" cannot list authorization.openshift.io.rolebindings in project "asb-apb"

[jzhang@dhcp-141-95 Downloads]$ oc get rolebinding
NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS
system:image-builders /system:image-builder builder 
system:image-pullers /system:image-puller system:serviceaccounts:asb-apb 
admin /admin jiazha 
registry-admin /registry-admin jiazha 
registry-viewer /registry-viewer system:unauthenticated 
system:deployers /system:deployer deployer
Comment 2 Mo 2017-12-01 00:35:53 UTC 

*** This bug has been marked as a duplicate of bug 1500692 ***