Bug 1917280 - "oc annotate" fails to parse group names with LDAP name
Summary: "oc annotate" fails to parse group names with LDAP name
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 4.6.z
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.8.0
Assignee: Robin Cernin
QA Contact: zhou ying
URL:
Whiteboard:
: 1917277 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-01-18 09:02 UTC by Sergio G.
Modified: 2021-06-08 15:19 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-06-08 15:19:16 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github kubernetes kubernetes pull 98745 0 None open Annotate objects with '=' in the name 2021-02-15 20:27:22 UTC

Description Sergio G. 2021-01-18 09:02:53 UTC
Description of problem:
Can't change the annotations of a group if the name is an LDAP name. Only "oc annotate" fails while other commands work. See the steps to reproduce.


Version-Release number of selected component (if applicable):
4.6.9


How reproducible:
Always


Steps to Reproduce:
$ oc get group.user.openshift.io
NAME                                                                          USERS
CN=Group1,OU=Groups,OU=People,DC=example,DC=local   

$ oc get group.user.openshift.io/CN=Group1,OU=Groups,OU=People,DC=example,DC=local -o yaml
apiVersion: user.openshift.io/v1
kind: Group
metadata:
  creationTimestamp: "2021-01-18T08:43:02Z"
  name: CN=Group1,OU=Groups,OU=People,DC=example,DC=local
  resourceVersion: "86058"
  selfLink: /apis/user.openshift.io/v1/groups/CN%3DGroup1%2COU%3DGroups%2COU%3DPeople%2CDC%3Dexample%2CDC%3Dlocal
  uid: c4671196-9832-4215-933d-aae8ea63ff8a
users: null

$ oc annotate group.user.openshift.io/CN=Group1,OU=Groups,OU=People,DC=example,DC=local openshift.io/ldap.url=ldap.example.local:389 
error: one or more resources must be specified as <resource> <name> or <resource>/<name>

$ oc patch group.user.openshift.io/CN=Group1,OU=Groups,OU=People,DC=example,DC=local -p '{"metadata":{"annotations":{"openshift.io/ldap.url": "ldap.example.local:389"}}}'
group.user.openshift.io/CN=Group1,OU=Groups,OU=People,DC=example,DC=local patched

$ oc get group.user.openshift.io/CN=Group1,OU=Groups,OU=People,DC=example,DC=local -o yaml
apiVersion: user.openshift.io/v1
kind: Group
metadata:
  annotations:
    openshift.io/ldap.url: ldap.example.local:389
  creationTimestamp: "2021-01-18T08:43:02Z"
  name: CN=Group1,OU=Groups,OU=People,DC=example,DC=local
  resourceVersion: "86058"
  selfLink: /apis/user.openshift.io/v1/groups/CN%3DGroup1%2COU%3DGroups%2COU%3DPeople%2CDC%3Dexample%2CDC%3Dlocal
  uid: c4671196-9832-4215-933d-aae8ea63ff8a
users: null

$ oc adm groups new group1
group.user.openshift.io/group1 created

$ oc annotate group.user.openshift.io/group1 openshift.io/ldap.url=ldap.example.local:389 
group.user.openshift.io/group1 annotated


Actual results:
"oc patch" is unable to parse the command line properly to detect the annotation and group name.


Expected results:
"oc patch" should be able to parse the command line properly no matter the group name.

Comment 1 Sergio G. 2021-01-18 09:05:24 UTC
Correction to Actual results:
"oc annotate" is unable to parse the command line properly to detect the annotation and group name.


Correction to Expected results:
"oc annotate" should be able to parse the command line properly no matter the group name.

Comment 2 Maciej Szulik 2021-01-18 11:05:37 UTC
*** Bug 1917277 has been marked as a duplicate of this bug. ***

Comment 3 Maciej Szulik 2021-01-18 11:28:27 UTC
There's a temporary workaround to save the group in a file and then invoke:

oc get group.user.openshift.io/CN=Group1,OU=Groups,OU=People,DC=example,DC=local -o yaml>group.yaml
oc annotate -f group.yaml openshift.io/ldap.url=ldap.example.local:389

This will allow annotation to work right away. The problem at hand is that LDAP group
contains characters such as '=' (equal sign) and ',' (comma) which are used for
passing multiple resources (comma) or to pass key=value pairs for annotation (equal sign).
I'm not sure how far we can go with fixing this issue, but I hope this workaround is
a reasonable middle ground for now, at least.

Comment 4 Sergio G. 2021-01-18 11:31:54 UTC
Thanks Maciej. I offered as a workaround the "oc patch" approach but yours can work also.

I wonder how "oc patch" does the parsing as it's also a command prone to have also , (comma) and = (equal) signs but it definitively works.

Comment 5 Maciej Szulik 2021-01-18 14:16:33 UTC
(In reply to Sergio G. from comment #4)
> Thanks Maciej. I offered as a workaround the "oc patch" approach but yours
> can work also.
> 
> I wonder how "oc patch" does the parsing as it's also a command prone to
> have also , (comma) and = (equal) signs but it definitively works.

oc patch has a different schematics so it's not affected by above problems.

Comment 25 Maciej Szulik 2021-04-29 12:24:14 UTC
Robert, given this limitation, I'd suggest opening a doc update and sync with Andrea who manages our docs effort.

Comment 26 Maciej Szulik 2021-06-08 15:19:16 UTC
This will be included in the docs, since this won't be solved due to how annotate works upstream and there exists viable workaround I'm going to close this as is.


Note You need to log in before you can comment on or make changes to this bug.