Bug 1802580 - project.spec.projectRequestMessage not displayed
Summary: project.spec.projectRequestMessage not displayed
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 4.3.z
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.6.0
Assignee: Sally
QA Contact: zhou ying
Depends On:
TreeView+ depends on / blocked
Reported: 2020-02-13 12:56 UTC by Olimp Bockowski
Modified: 2020-09-25 06:30 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Last Closed: 2020-08-20 20:20:53 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift oc pull 406 0 None closed Bug 1802580: return ProjectRequestMessage if it is set with login,project cmds 2020-09-25 06:29:51 UTC

Description Olimp Bockowski 2020-02-13 12:56:37 UTC
Description of problem:

According to doc: "When a developer or a service account that is unable to self-provision projects makes a project creation request using the web console or CLI, the following error message is returned by default: "You may not request a new project via this API."


Using project.spec.projectRequestMessage we can set some message

But it is not applied properly to all components and this is inconsistent with web console (the behavior is quite the opposite)

1.  for "oc" command you login and no message -> I would expect we have info, but nothing. However, when you create new-project you get a message defined in projectRequestMessage.

[ admin@obockows.brq.csb  /home/obockows/WORK/02578143-project ] $ oc login https://api:6443
You don't have any projects. Contact your system administrator to request a project.
^^ here it should be message who one has to contact

[ admin@obockows.brq.csb  /home/obockows/WORK/02578143-project ] $ /tmp/oc new-project something
Error from server (Forbidden): ask astutus@redhat.com for a new project

^^ here is everything ok

the result: we have message defined in projectRequestMessage only when we fail to create a project. That's not 100% helpful.

2. console:

when we are logged and we are in Home/Projects for Admin or Advanced/Projects for Developer view, we have:

Welcome to OpenShift
ask astutus@redhat.com for a new project
^^ quite the opposite to the behavior of "oc login"

however, when we make an attempt to create a new project we have what you've seen, e.g.
"An error occurred projectrequests.project.openshift.io is forbidden: User "olimpb.bockowski" cannot create resource "projectrequests" in API group "project.openshift.io" at the cluster scope"

^^ here should be the message as well
Moreover, the web console shows the defined message only if you don't have a project yet. If you already have one, you don't get the message at all. 

The odd is an inconsistency between console and CLI, if it behaves in sone way, it should be the same. I am quite convinced it should be unified and both for console and oc the same. 

Moreover in both cases it should be displayed everytime (after login and when not allowed is trying to create project)

Version-Release number of selected component (if applicable):

Additional info:
I was thinking should it be RE/RFE or bug, however, it looks like a bug because project.spec.projectRequestMessage wasn't put in two important places.
Additionally that's inconsistent with web console

For web console there is a different BZ #1802577

Comment 1 Maciej Szulik 2020-02-20 17:50:57 UTC
This is not going to be addressed in 4.4, moving to 4.5.

Comment 2 Sally 2020-05-05 02:21:37 UTC
I see in the console, a user without the self-provisioner clusterrole no longer has the option/button to create projects, this part of this bz is verified/fixed.

I've opened a PR to return the ProjectRequestMessage if it exists when
user w/ no self-provisioner clusterrole runs:
$ oc login 
$ oc project
$ oc new-project

Comment 3 Sally 2020-05-20 15:46:47 UTC
This bug is actively being worked on.

Comment 7 zhou ying 2020-05-25 08:28:55 UTC
Confirmed with oc version : [root@dhcp-140-138 roottest]# oc version 
Client Version: 4.5.0-202005231517-44354e2
Kubernetes Version: v1.18.2

`oc edit project.config.openshift.io/cluster` specify the spec. projectRequestMessage
 oc get project.config.openshift.io/cluster -oyaml
apiVersion: config.openshift.io/v1
kind: Project
  projectRequestMessage: To request a project, contact your system administrator at projectname@example.com.

[root@dhcp-140-138 roottest]# oc login --token=`oc sa get-token default -n default` https://api.yinzhou25.qe.gcp.devcluster.openshift.com:6443
Logged into "https://api.yinzhou25.qe.gcp.devcluster.openshift.com:6443" as "system:serviceaccount:default:default" using the token provided.

To request a project, contact your system administrator at projectname@example.com.
[root@dhcp-140-138 roottest]# oc new-project ptest
Error from server (Forbidden): To request a project, contact your system administrator at projectname@example.com.

Comment 8 Standa Laznicka 2020-06-24 08:20:49 UTC
The fix caused a regression tracked in https://bugzilla.redhat.com/show_bug.cgi?id=1849983, moving back to assigned

Comment 9 Maciej Szulik 2020-06-24 08:23:14 UTC
Sally make sure to verify https://docs.openshift.com/container-platform/4.4/applications/projects/configuring-project-creation.html#disabling-project-self-provisioning_configuring-project-creation is working correctly. I'd suggest adding test first and only then fixing this.

Comment 11 Sally 2020-07-30 21:54:34 UTC
Since the fix for this bug was reverted, I will be revisiting this bug this sprint.

Comment 12 Sally 2020-08-20 20:20:53 UTC
Revisiting this bug, 
The documentation on how to remove permission for project-requests is clear:  https://docs.openshift.com/container-platform/4.4/applications/projects/configuring-project-creation.html#disabling-project-self-provisioning_configuring-project-creation 

I'm closing this as there was not a regression and the current messages are sufficient:

$ oc login -u newton -p password  (does not have permission to create projects)
Login successful.

You don't have any projects. Contact your system administrator to request a project.
$ oc project
No project has been set. Pass a project name to make that the default.

// projectRequestMessage set
$ oc new-project test
Error from server (Forbidden): You do not have permission to create projects. Contact your system administrator

// No projectRequestMessage set:
$ oc new-project test
Error from server (Forbidden): You may not request a new project via this API.

Note You need to log in before you can comment on or make changes to this bug.