Bug 1740596 - Rolebinding patch is not working for "authorization.openshift.io/v1" apiservice
Summary: Rolebinding patch is not working for "authorization.openshift.io/v1" apiservice
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: openshift-apiserver
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: 3.11.z
Assignee: Standa Laznicka
QA Contact: Xingxing Xia
URL:
Whiteboard:
Depends On:
Blocks: 1741169
TreeView+ depends on / blocked
 
Reported: 2019-08-13 10:35 UTC by Abhishek
Modified: 2020-06-08 12:38 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1741169 (view as bug list)
Environment:
Last Closed: 2020-06-08 12:38:34 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift oc pull 54 0 'None' closed Bug 1740596: Don't install CRD authorization types into global scheme 2020-07-22 11:46:03 UTC

Description Abhishek 2019-08-13 10:35:01 UTC
Description of problem: Rolebinding patch is not working for "authorization.openshift.io/v1" apiservice


# cat > rolebinding.yaml << EOL
apiVersion: authorization.openshift.io/v1
kind: RoleBinding
metadata:
  name: test-rolebinding
roleRef:
  kind: Role
  name: view
  apiGroup: rbac.authorization.openshift.io
subjects:
- kind: User
  name: user1@example.com
  apiGroup: rbac.authorization.openshift.io
EOL

# oc apply -f rolebinding.yaml
rolebinding.authorization.openshift.io/test-rolebinding created

# oc get rolebinding test-rolebinding
NAME               ROLE      USERS               GROUPS    SERVICE ACCOUNTS   SUBJECTS
test-rolebinding   /view     user1@example.com  


Edited yaml file and added below line

- kind: User
  name: user2@example.com
  apiGroup: rbac.authorization.openshift.io


# oc apply -f rolebinding.yaml
rolebinding.authorization.openshift.io/test-rolebinding configured

# oc get rolebinding test-rolebinding
NAME               ROLE      USERS               GROUPS    SERVICE ACCOUNTS   SUBJECTS
test-rolebinding   /view     user1@example.com

But when I use rbac.authorization.k8s.io/v1 apiversion it's working as expected.

Comment 1 Mo 2019-08-14 20:10:48 UTC
The schema for rbac.authorization.k8s.io/v1 and authorization.openshift.io/v1 are distinct.  You cannot apply patches from one to the other.

The two commands below refer to *same* resource:

$ oc get rolebinding.rbac admin -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: "2019-08-14T20:06:28Z"
  name: admin
  namespace: foobar
  resourceVersion: "96391"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/foobar/rolebindings/admin
  uid: 002390fd-becf-11e9-94ee-02b450c5a768
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: system:admin



$ oc get rolebinding.auth admin -o yaml
apiVersion: authorization.openshift.io/v1
groupNames: null
kind: RoleBinding
metadata:
  creationTimestamp: "2019-08-14T20:06:28Z"
  name: admin
  namespace: foobar
  resourceVersion: "96391"
  selfLink: /apis/authorization.openshift.io/v1/namespaces/foobar/rolebindings/admin
  uid: 002390fd-becf-11e9-94ee-02b450c5a768
roleRef:
  name: admin
subjects:
- kind: SystemUser
  name: system:admin
userNames:
- system:admin

Comment 2 joerg.woehrle 2019-08-19 06:33:23 UTC
I think this shouldn't have been closed.

Note that in both of the above yaml `authorization.openshift.io/v1` is used as the apiVersion. 

It's only stated that the same `oc apply` command works as expected when you change it to `rbac.authorization.k8s.io/v1`

Please verify and reopen

Comment 11 Standa Laznicka 2020-05-20 09:31:46 UTC
You should really use authorization.k8s.io/v1 instead of its openshift version.

I've worked on things with more priority, I may be able to look into this the next sprint.

Comment 12 Standa Laznicka 2020-06-08 12:38:34 UTC
I've looked into this. Since you're using the openshift (legacy) authorization group, you need to specify `userNames` instead of subjects, subjects will be ignored. This is stated in the `oc explain` of the API:

$ oc explain rolebinding --version=authorization.openshift.io
<snip>
   userNames	<[]string>
     UserNames holds all the usernames directly bound to the role. This field
     should only be specified when supporting legacy clients and servers. See
     Subjects for further details.

   subjects	<[]Object> -required-
     Subjects hold object references to authorize with this rule. This field is
     ignored if UserNames or GroupNames are specified to support legacy clients
     and servers. Thus newer clients that do not need to support backwards
     compatibility should send only fully qualified Subjects and should omit the
     UserNames and GroupNames fields. Clients that need to support backwards
     compatibility can use this field to build the UserNames and GroupNames.


Note You need to log in before you can comment on or make changes to this bug.