Description of problem: According to doc: "When a developer or a service account that is unable to self-provision projects makes a project creation request using the web console or CLI, the following error message is returned by default: "You may not request a new project via this API." https://access.redhat.com/documentation/en-us/openshift_container_platform/4.3/html/applications/projects#customizing-project-request-message_configuring-project-creation Using project.spec.projectRequestMessage we can set some message But it is not applied properly to all components and this is inconsistent with web console (the behavior is quite the opposite) HOW IT WORKS: 1. for "oc" command you login and no message -> I would expect we have info, but nothing. However, when you create new-project you get a message defined in projectRequestMessage. examples: [ admin.csb /home/obockows/WORK/02578143-project ] $ oc login https://api:6443 You don't have any projects. Contact your system administrator to request a project. ^^ here it should be message who one has to contact [ admin.csb /home/obockows/WORK/02578143-project ] $ /tmp/oc new-project something Error from server (Forbidden): ask astutus for a new project ^^ here is everything ok the result: we have message defined in projectRequestMessage only when we fail to create a project. That's not 100% helpful. 2. console: when we are logged and we are in Home/Projects for Admin or Advanced/Projects for Developer view, we have: Welcome to OpenShift ask astutus for a new project ^^ quite the opposite to the behavior of "oc login" however, when we make an attempt to create a new project we have what you've seen, e.g. "An error occurred projectrequests.project.openshift.io is forbidden: User "olimpb.bockowski" cannot create resource "projectrequests" in API group "project.openshift.io" at the cluster scope" ^^ here should be the message as well Moreover, the web console shows the defined message only if you don't have a project yet. If you already have one, you don't get the message at all. The odd is an inconsistency between console and CLI, if it behaves in sone way, it should be the same. I am quite convinced it should be unified and both for console and oc the same. Moreover in both cases it should be displayed everytime (after login and when not allowed is trying to create project) Version-Release number of selected component (if applicable): 4.x Additional info: I was thinking should it be RE/RFE or bug, however, it looks like a bug because project.spec.projectRequestMessage wasn't put in two important places. Additionally that's inconsistent with web console For web console there is a different BZ #1802577
This is not going to be addressed in 4.4, moving to 4.5.
I see in the console, a user without the self-provisioner clusterrole no longer has the option/button to create projects, this part of this bz is verified/fixed. I've opened a PR to return the ProjectRequestMessage if it exists when user w/ no self-provisioner clusterrole runs: $ oc login $ oc project $ oc new-project
This bug is actively being worked on.
Confirmed with oc version : [root@dhcp-140-138 roottest]# oc version Client Version: 4.5.0-202005231517-44354e2 Kubernetes Version: v1.18.2 `oc edit project.config.openshift.io/cluster` specify the spec. projectRequestMessage oc get project.config.openshift.io/cluster -oyaml apiVersion: config.openshift.io/v1 kind: Project metadata: annotations: .... spec: projectRequestMessage: To request a project, contact your system administrator at projectname. [root@dhcp-140-138 roottest]# oc login --token=`oc sa get-token default -n default` https://api.yinzhou25.qe.gcp.devcluster.openshift.com:6443 Logged into "https://api.yinzhou25.qe.gcp.devcluster.openshift.com:6443" as "system:serviceaccount:default:default" using the token provided. To request a project, contact your system administrator at projectname. [root@dhcp-140-138 roottest]# oc new-project ptest Error from server (Forbidden): To request a project, contact your system administrator at projectname.
The fix caused a regression tracked in https://bugzilla.redhat.com/show_bug.cgi?id=1849983, moving back to assigned
Sally make sure to verify https://docs.openshift.com/container-platform/4.4/applications/projects/configuring-project-creation.html#disabling-project-self-provisioning_configuring-project-creation is working correctly. I'd suggest adding test first and only then fixing this.
Since the fix for this bug was reverted, I will be revisiting this bug this sprint.
Revisiting this bug, The documentation on how to remove permission for project-requests is clear: https://docs.openshift.com/container-platform/4.4/applications/projects/configuring-project-creation.html#disabling-project-self-provisioning_configuring-project-creation I'm closing this as there was not a regression and the current messages are sufficient: $ oc login -u newton -p password (does not have permission to create projects) Login successful. You don't have any projects. Contact your system administrator to request a project. $ oc project No project has been set. Pass a project name to make that the default. // projectRequestMessage set $ oc new-project test Error from server (Forbidden): You do not have permission to create projects. Contact your system administrator // No projectRequestMessage set: $ oc new-project test Error from server (Forbidden): You may not request a new project via this API.