Bug 1651440 - 'oc auth reconcile' command should not be used while adding a new custom role
Summary: 'oc auth reconcile' command should not be used while adding a new custom role
Keywords:
Status: NEW
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 3.11.0
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
: ---
Assignee: Vikram Goyal
QA Contact: scheng
Vikram Goyal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-20 05:59 UTC by Arnab Ghosh
Modified: 2019-09-18 05:05 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)

Description Arnab Ghosh 2018-11-20 05:59:32 UTC
Description of problem:

OCP 3.11 documentation says 'To add or update custom roles and permissions, it is strongly recommended to use 'oc auth reconcile' command'

To update custom roles it is absolutely logical to use 'oc auth reconcile' command since it will append new verbs to custom role instead of deleting old verbs and adding new verbs. 

I don't think the same command should be our recommendation while creating a custom role because if there is a custom role with same name as your new role present in the environment then it will just update the role. Cluster admin would not be notified that a custom role with same name already exists in the environment. Which in turn might provide extended permissions to user/SA attached to this custom role.


Version-Release number of selected component (if applicable):

- Openshift Container Platform 3.11

How reproducible:

- Always

Steps to Reproduce:

1. Create a custom role using 'oc auth reconcile' command
2. Create another custom role with same name but different definition than the first custom role.
3. You should be able to see 'oc auth reconcile' command creates a custom role if there is no custom role with same name otherwise it updates the existing role.

Actual results:

- 'oc auth reconcile' command does not notify if a custom role with same name already exists.

Expected results:

- It should notify cluster admin

Additional info:


Document URL: 

https://docs.openshift.com/container-platform/3.11/architecture/additional_concepts/authorization.html#applying-custom-roles-and-permissions

Section Number and Name: 

Describe the issue: 

Suggestions for improvement: 

- To update custom roles and permissions, it is strongly recommended to use the following command:
# oc auth reconcile -f FILE

Additional information:


Note You need to log in before you can comment on or make changes to this bug.