Bug 1651440 - 'oc auth reconcile' command should not be used while adding a new custom role
Summary: 'oc auth reconcile' command should not be used while adding a new custom role
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 3.11.0
Hardware: x86_64
OS: Linux
Target Milestone: ---
: 3.11.z
Assignee: Lindsey Barbee-Vargas
QA Contact: scheng
Vikram Goyal
Depends On:
TreeView+ depends on / blocked
Reported: 2018-11-20 05:59 UTC by Arnab Ghosh
Modified: 2020-04-20 13:40 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-04-17 18:14:01 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Arnab Ghosh 2018-11-20 05:59:32 UTC
Description of problem:

OCP 3.11 documentation says 'To add or update custom roles and permissions, it is strongly recommended to use 'oc auth reconcile' command'

To update custom roles it is absolutely logical to use 'oc auth reconcile' command since it will append new verbs to custom role instead of deleting old verbs and adding new verbs. 

I don't think the same command should be our recommendation while creating a custom role because if there is a custom role with same name as your new role present in the environment then it will just update the role. Cluster admin would not be notified that a custom role with same name already exists in the environment. Which in turn might provide extended permissions to user/SA attached to this custom role.

Version-Release number of selected component (if applicable):

- Openshift Container Platform 3.11

How reproducible:

- Always

Steps to Reproduce:

1. Create a custom role using 'oc auth reconcile' command
2. Create another custom role with same name but different definition than the first custom role.
3. You should be able to see 'oc auth reconcile' command creates a custom role if there is no custom role with same name otherwise it updates the existing role.

Actual results:

- 'oc auth reconcile' command does not notify if a custom role with same name already exists.

Expected results:

- It should notify cluster admin

Additional info:

Document URL: 


Section Number and Name: 

Describe the issue: 

Suggestions for improvement: 

- To update custom roles and permissions, it is strongly recommended to use the following command:
# oc auth reconcile -f FILE

Additional information:

Comment 9 Lindsey Barbee-Vargas 2020-04-15 20:50:10 UTC
Made changes as described: Updated Applying Custom Roles and Permissions with clarification when adding or updating new custom roles and permissions. This can be reviewed here: https://github.com/openshift/openshift-docs/pull/21202. Moving this bug to ON_QA.

Comment 11 scheng 2020-04-16 06:14:04 UTC

Comment 12 Lindsey Barbee-Vargas 2020-04-16 19:00:56 UTC
Added a link to an example yaml file for creating cluster roles per peer review feedback. Moving this bug back to ON_QA for a second look.

Comment 13 Lindsey Barbee-Vargas 2020-04-17 18:14:01 UTC
Verified fix is published and live on docs.openshift.com:

Comment 14 Lindsey Barbee-Vargas 2020-04-20 13:40:23 UTC
Verified fix is published and live on the Customer Portal:
( Applying Custom Roles and Permissions)

Note You need to log in before you can comment on or make changes to this bug.