Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1510076

Summary: Unable to allow a service-account permissions to delete ANY project
Product: OpenShift Container Platform Reporter: Will Gordon <wgordon>
Component: AuthAssignee: Simo Sorce <ssorce>
Status: CLOSED NOTABUG QA Contact: Chuan Yu <chuyu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: aos-bugs, mkhan
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-06 18:51:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Will Gordon 2017-11-06 16:31:18 UTC
Description of problem:
Running `oc cluster up`, I have defined a ClusterRole [1] to allow `delete` of `projects` without any other restrictions.
Logged in as system:admin, I have performed:
- oc create -f delete-projects.json [1]
- oc create sa delete-admin
- oc adm add-cluster-role-to-user system:service:accounts:default:delete-admin
- oc adm policy who-can delete projects --all-namespaces  -> lists system:service:accounts:default:delete-admin
- oc login -u delete-admin -p $(oc sa get-token delete-admin)
- oc delete project myproject  -> F1106 11:23:27.217087    6342 helpers.go:119] Error from server (Forbidden): User "other-admin" cannot delete projects in project "myproject"

Version-Release number of selected component (if applicable):
openshift v3.
kubernetes v1.6.1+5115d708d7

How reproducible:

Steps to Reproduce:
see above

Actual results:
Failure to delete project

Expected results:
Successfully delete project

Additional info:


Comment 1 Simo Sorce 2017-11-06 16:43:43 UTC
please provide the output of
oc get serviceaccounts -o json

Comment 2 Will Gordon 2017-11-06 17:26:53 UTC
    "apiVersion": "v1",
    "imagePullSecrets": [
            "name": "delete-admin-dockercfg-553lq"
    "kind": "ServiceAccount",
    "metadata": {
        "creationTimestamp": "2017-11-06T16:05:33Z",
        "name": "delete-admin",
        "namespace": "default",
        "resourceVersion": "1512",
        "selfLink": "/api/v1/namespaces/default/serviceaccounts/delete-admin",
        "uid": "516d04f9-c30c-11e7-a08a-6abe92e081f3"
    "secrets": [
            "name": "delete-admin-dockercfg-553lq"
            "name": "delete-admin-token-l1b05"

Comment 3 Simo Sorce 2017-11-06 17:28:52 UTC
also not that the proper command to add delete-admin to the cluster role is not:
oc adm add-cluster-role-to-user system:service:accounts:default:delete-admin

but it is:
oc adm policy add-cluster-role-to-user delete-projects -z delete-admin

This does not allow me to delete a project either though.

Comment 4 Will Gordon 2017-11-06 17:48:30 UTC
WOW, when was -z added?! That's awesome! The docs still recommend system:serviceaccount:<project>:<sa-name>. [1]

Comment 5 Mo 2017-11-06 18:46:09 UTC
You are logging in as the SA incorrectly.  The correct way is:

> oc login --token=$(oc sa get-token SA_NAME -n SA_NAMESPACE)

This is clear from the error message:

> Error from server (Forbidden): User "other-admin" cannot ...

If you were logged in as the SA it would say:

> Error from server (Forbidden): User "system:serviceaccount:SA_NAMESPACE:SA_NAME" cannot ...

You can use `oc whoami` to tell what user you are logged in as.

Comment 6 Simo Sorce 2017-11-06 18:51:56 UTC
Ok I have also reproduced and using:
> oc login --token=$(oc sa get-token delete-admin -n default)
> oc delete project myproject 

Comment 7 Will Gordon 2017-11-06 18:59:48 UTC
Thanks! That did the trick!