Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1528016

Summary: oc whomi returns forbidden - version of OC: 3.7.9
Product: OpenShift Container Platform Reporter: Markus Schreier <mschreie>
Component: ocAssignee: Juan Vallejo <jvallejo>
Status: CLOSED DUPLICATE QA Contact: Xingxing Xia <xxia>
Severity: low Docs Contact:
Priority: medium    
Version: unspecifiedCC: aos-bugs, deads, jokerman, mkhan, mmccomas, mschreie
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Mac OS   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-01-02 17:08:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Markus Schreier 2017-12-20 18:58:42 UTC 
Description of problem:
current version of oc shows an error:
$ oc-3.7.9 whoami
Error from server (Forbidden): User "developer" cannot get user.openshift.io.users at the cluster scope

Version-Release number of selected component (if applicable):
Markuss-MacBook-Pro:ansible mschreie$ oc-3.7.9 version
oc v3.7.9
kubernetes v1.7.6+a08f5eeb62
features: Basic-Auth

Server https://openshift.hailstorm2.coe.muc.redhat.com:443
openshift v3.5.5.31
kubernetes v1.5.2+43a9be4


How reproducible:
oc login
user: admin
oc whoami
-> error

Doing the same with older version of oc works, e.g.:
oc version
oc v3.6.173.0.83
kubernetes v1.6.1+5115d708d7
features: Basic-Auth

Server https://openshift.hailstorm2.coe.muc.redhat.com:443
openshift v3.5.5.31
kubernetes v1.5.2+43a9be4



Actual results:
Error from server (Forbidden): User "developer" cannot get user.openshift.io.users at the cluster scope


Expected results:
admin

Additional info:
colleague is having same issue on RHEL as I have on MAC when connecting against the same OpenShift installation.
Comment 1 Juan Vallejo 2017-12-20 21:40:07 UTC 
I believe you might have to run
```
$ oc adm policy reconcile-cluster-roles
```

Tagging Mo for confirmation
Comment 2 Xingxing Xia 2017-12-21 01:32:07 UTC 
Might be not a bug related to bug 1500692. Also there is document https://docs.openshift.com/container-platform/3.7/release_notes/index.html#release-versioning-policy
Comment 3 Markus Schreier 2017-12-21 13:11:37 UTC 
(In reply to Juan Vallejo from comment #1)
> I believe you might have to run
> ```
> $ oc adm policy reconcile-cluster-roles
> ```
> 
> Tagging Mo for confirmation

I ran 
oc adm policy reconcile-cluster-roles
with oc-3.6 but this did not change behaviour of oc 3.7.9

I also ran the same command with oc 3.7.9 as admin, but the error stays the same...

Also: with old oc (3.6) I do not have issues. So I believe the behaviour of the client changed....
Comment 4 Markus Schreier 2017-12-21 13:15:14 UTC 
(In reply to Xingxing Xia from comment #2)
> Might be not a bug related to bug 1500692. Also there is document
> https://docs.openshift.com/container-platform/3.7/release_notes/index.
> html#release-versioning-policy
This is not related to this issue. I'd call this deviation as a standard feature works with an OLDER oc client and does not work with the NEW oc client.
It is not a new feature introduced on one or the other side....
Comment 5 Juan Vallejo 2017-12-21 15:38:02 UTC 
*** Bug 1528015 has been marked as a duplicate of this bug. ***
Comment 6 Juan Vallejo 2017-12-21 15:44:07 UTC 
(In reply to Markus Schreier from comment #4)
> (In reply to Xingxing Xia from comment #2)
> > Might be not a bug related to bug 1500692. Also there is document
> > https://docs.openshift.com/container-platform/3.7/release_notes/index.
> > html#release-versioning-policy
> This is not related to this issue. I'd call this deviation as a standard
> feature works with an OLDER oc client and does not work with the NEW oc
> client.
> It is not a new feature introduced on one or the other side....

Looking at the client and server versions, this actually does appear to be similar to https://bugzilla.redhat.com/show_bug.cgi?id=1500692. You have reported that a 3.7 client fails with a permission error against a 3.5 cluster [1] which is the same case seen in https://bugzilla.redhat.com/show_bug.cgi?id=1500692:

> Markuss-MacBook-Pro:ansible mschreie$ oc-3.7.9 version
> oc v3.7.9
> kubernetes v1.7.6+a08f5eeb62
> features: Basic-Auth

> Server https://openshift.hailstorm2.coe.muc.redhat.com:443
> openshift v3.5.5.31
> kubernetes v1.5.2+43a9be4

Then you report that a 3.6 client does appear to work:

> Doing the same with older version of oc works, e.g.:
> oc version
> oc v3.6.173.0.83
> kubernetes v1.6.1+5115d708d7
> features: Basic-Auth

> Server https://openshift.hailstorm2.coe.muc.redhat.com:443
> openshift v3.5.5.31
> kubernetes v1.5.2+43a9be4

Re-iterating Mo's comment from https://bugzilla.redhat.com/show_bug.cgi?id=1500692#c2:

> This is the expected behavior of a 3.7 client.  It is expected to only use the 
> grouped resources and only needs to be compatible with a 3.6 - 3.8 server 
> (i.e. +1/-1 server client compatibility).

@Markus could you try the command against a 3.6 server and confirm that it works as expected?
Comment 7 Mo 2018-01-02 17:08:03 UTC 
This is working as expected.

*** This bug has been marked as a duplicate of bug 1500692 ***
Comment 8 Markus Schreier 2018-03-05 13:05:08 UTC 
I believe this has been closed, so no further action needed from my side... 
Just would like to get rid of the continuous reminder...