Bug 2037903 - Alibaba Cloud: delete-ram-user requires the credentials-requests
Summary: Alibaba Cloud: delete-ram-user requires the credentials-requests
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cloud Credential Operator
Version: 4.10
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.10.0
Assignee: Nobody
QA Contact: Jianping SHu
Depends On:
TreeView+ depends on / blocked
Reported: 2022-01-06 19:35 UTC by Joel Diaz
Modified: 2022-03-10 16:37 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2022-03-10 16:37:33 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift cloud-credential-operator pull 439 0 None open Bug 2037903: Alibaba Cloud not required credReqDir in command delete-ram-users 2022-01-06 19:45:19 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:37:45 UTC

Description Joel Diaz 2022-01-06 19:35:56 UTC
Description of problem:
copying from https://github.com/openshift/cloud-credential-operator/issues/437

When running the removal of ram users the ccoctl command requires the original --credentials-requests directory. This might be an issue when customers remove them after a cluster install. Having to preserve the original release payload or preserving the credentials requests becomes cumbersome.

~/go/src/github.com/openshift/cloud-credential-operator/ccoctl alibabacloud  delete-ram-users --region us-east-1 --name test-nsrlt   --credentials-requests-dir ~/tmp/alibaba/crs

Update the delete-ram-users command to use only the --name <cluster_id> parameter data to remove credentials

Version-Release number of selected component (if applicable): master

How reproducible: 100%

Steps to Reproduce:
1. create AliCloud resources with ccoctl
2. try to remove the previously create AliCloud resources with 'ccoctl delete-ram-users' command

Actual results:
Need to provide the --credentials-requests-dir parameter with a list of CredentialsRequest files that will be scanned to figure out what needs deleting.

Expected results:
Just tag/annotate the created RAM users during creation so that they can be found without needing to provide the --credentials-requests-dir parameter.

Additional info:

Comment 2 Jianping SHu 2022-01-07 06:17:42 UTC
Reproduced the issue with build https://amd64.ocp.releases.ci.openshift.org/releasestream/4.10.0-0.ci/release/4.10.0-0.ci-2022-01-06-002121

1. Executed the step 1-9 in case https://polarion.engineering.redhat.com/polarion/redirect/project/OSE/workitem?id=OCP-46768

At step 8, the delete-ram-users command w/o "credentials-requests-dir" failed and the one w/ "credentials-requests-dir" succeeded.

[cloud-user@preserve-for-hive-test reproduce]$ ./ccoctl alibabacloud delete-ram-users --name jshu-alicloud --region=ap-northeast-1
Error: required flag(s) "credentials-requests-dir" not set
  ccoctl alibabacloud delete-ram-users [flags]

      --credentials-requests-dir string   Directory containing files of CredentialsRequests to create RAM AK for (can be created by running 'oc adm release extract --credentials-requests --cloud=alibabacloud' against an OpenShift release image)
  -h, --help                              help for delete-ram-users
      --name string                       User-defined name for all created Alibaba Cloud resources (can be separate from the cluster's infra-id)
      --region string                     Alibaba Cloud region endpoint only required for GovCloud

2022/01/06 23:58:04 required flag(s) "credentials-requests-dir" not set

[cloud-user@preserve-for-hive-test reproduce]$ ./ccoctl alibabacloud delete-ram-users --name jshu-alicloud --region=ap-northeast-1 --credentials-requests-dir=./credrequests
2022/01/06 23:58:35 Ready to delete user jshu-alicloud-openshift-machine-api-alibabacloud-credentials accesskey LTAI5tPddbgQqjwqK9979Ys1
2022/01/06 23:58:38 Ready to delete user jshu-alicloud-openshift-image-registry-installer-cloud-credentia accesskey LTAI5t9F63dcW1s3UmKnTxEm
2022/01/06 23:58:41 Ready to delete user jshu-alicloud-openshift-ingress-operator-cloud-credentials accesskey LTAI5tDMjfStnwv9fBcczxX4
2022/01/06 23:58:44 Ready to delete user jshu-alicloud-openshift-cluster-csi-drivers-alibaba-disk-credent accesskey LTAI5t8HKhby95u4CoyBdi6z

Verified with build https://amd64.ocp.releases.ci.openshift.org/releasestream/4.10.0-0.ci/release/4.10.0-0.ci-2022-01-06-222134 (which contains CCO PR 439)
1. Executed the case https://polarion.engineering.redhat.com/polarion/redirect/project/OSE/workitem?id=OCP-46768
and updated the case according to the result.

The following delete-ram-users w/o "credentials-requests-dir" succeeded
ccoctl alibabacloud delete-ram-users --name jshu-alicloud --region=ap-northeast-1

2. delete-ram-users command format has no "credentials-requests-dir"
[cloud-user@preserve-for-hive-test verify]$ ./ccoctl alibabacloud delete-ram-users --help
Detach RAM Policy from existing user

  ccoctl alibabacloud delete-ram-users [flags]

  -h, --help            help for delete-ram-users
      --name string     User-defined name for all created Alibaba Cloud resources (can be separate from the cluster's infra-id)
      --region string   Alibaba Cloud region endpoint only required for GovCloud

Comment 7 errata-xmlrpc 2022-03-10 16:37:33 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.