Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1671685 - Inaccurate error message when removing a clusterrolebinding from a group for non-existent cluster role
Summary: Inaccurate error message when removing a clusterrolebinding from a group for ...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.2.0
Assignee: Standa Laznicka
QA Contact: scheng
Depends On:
TreeView+ depends on / blocked
Reported: 2019-02-01 10:09 UTC by Chuan Yu
Modified: 2019-08-05 06:28 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-08-05 06:26:57 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift oc pull 40 0 None closed Bug 1671685: remove-(cluster-)role-from-*: Properly report binding kind if not found 2020-07-01 14:40:38 UTC

Description Chuan Yu 2019-02-01 10:09:23 UTC
Description of problem:
Unable remove cluster role self-provisioners from system:authenticated:oauth group

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.As the cluster admin run cmd `oc adm policy remove-cluster-role-from-group self-provisioners system:authenticated:oauth`

Actual results:
error: unable to locate RoleBinding  for ClusterRole "self-provisioners"

Expected results:
Could remove cluster role self-provisioners from system:authenticated:oauth group

Additional info:

$ oc adm policy remove-cluster-role-from-group self-provisioners system:authenticated:oauth --loglevel=8
I0201 16:07:34.583528   23657 loader.go:359] Config loaded from file 20190131/auth/kubeconfig
I0201 16:07:34.584167   23657 round_trippers.go:383] GET https://***cluster.openshift.com:6443/apis/rbac.authorization.k8s.io/v1/clusterrolebindings
I0201 16:07:34.584178   23657 round_trippers.go:390] Request Headers:
I0201 16:07:34.584183   23657 round_trippers.go:393]     Accept: application/json, */*
I0201 16:07:34.584188   23657 round_trippers.go:393]     User-Agent: oc/v1.11.0+42ba6e91ef (linux/amd64) kubernetes/42ba6e9
I0201 16:07:35.636184   23657 round_trippers.go:408] Response Status: 200 OK in 1051 milliseconds
I0201 16:07:35.636303   23657 round_trippers.go:411] Response Headers:
I0201 16:07:35.636328   23657 round_trippers.go:414]     Date: Fri, 01 Feb 2019 08:07:35 GMT
I0201 16:07:35.636358   23657 round_trippers.go:414]     Audit-Id: 002b6a51-b395-4497-8fe7-bfc6a515302c
I0201 16:07:35.636377   23657 round_trippers.go:414]     Cache-Control: no-store
I0201 16:07:35.636395   23657 round_trippers.go:414]     Content-Type: application/json
I0201 16:07:36.401625   23657 request.go:897] Response Body: {"kind":"ClusterRoleBindingList","apiVersion":"rbac.authorization.k8s.io/v1","metadata":{"selfLink":"/apis/rbac.authorization.k8s.io/v1/clusterrolebindings","resourceVersion":"1073035"},"items":[{"metadata":{"name":"alertmanager-main","selfLink":"/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/alertmanager-main","uid":"2d6a5919-2528-11e9-a627-061ed6739886","resourceVersion":"11614","creationTimestamp":"2019-01-31T07:16:50Z"},"subjects":[{"kind":"ServiceAccount","name":"alertmanager-main","namespace":"openshift-monitoring"}],"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"alertmanager-main"}},{"metadata":{"name":"basic-users","selfLink":"/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/basic-users","uid":"68ad5525-2527-11e9-abad-061ed6739886","resourceVersion":"4944","creationTimestamp":"2019-01-31T07:11:20Z","annotations":{"rbac.authorization.kubernetes.io/autoupdate":"true"}},"subjects":[{"kind":"Group","apiGroup":"rbac.authorization.k8s.io","name":"system:authenti [truncated 89836 chars]
F0201 16:07:36.407348   23657 helpers.go:119] error: unable to locate RoleBinding  for ClusterRole "self-provisioners"

Comment 1 Standa Laznicka 2019-03-08 13:47:46 UTC
It is the clusterrolebinding which is called self-provisioners, not the clusterrole. The clusterrole is just "self-provisioner".

However, the message is wrong, it should say:
'error: unable to locate ClusterRoleBinding  for ClusterRole "self-provisioners"' instead of just 'error: unable to locate RoleBinding  for ClusterRole "self-provisioners"'

Moving priority to low.

Note You need to log in before you can comment on or make changes to this bug.