Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1510076 - Unable to allow a service-account permissions to delete ANY project
Summary: Unable to allow a service-account permissions to delete ANY project
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Auth
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Simo Sorce
QA Contact: Chuan Yu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-06 16:31 UTC by Will Gordon
Modified: 2019-03-29 15:48 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-06 18:51:56 UTC


Attachments (Terms of Use)

Description Will Gordon 2017-11-06 16:31:18 UTC
Description of problem:
Running `oc cluster up`, I have defined a ClusterRole [1] to allow `delete` of `projects` without any other restrictions.
Logged in as system:admin, I have performed:
- oc create -f delete-projects.json [1]
- oc create sa delete-admin
- oc adm add-cluster-role-to-user system:service:accounts:default:delete-admin
- oc adm policy who-can delete projects --all-namespaces  -> lists system:service:accounts:default:delete-admin
- oc login -u delete-admin -p $(oc sa get-token delete-admin)
- oc delete project myproject  -> F1106 11:23:27.217087    6342 helpers.go:119] Error from server (Forbidden): User "other-admin" cannot delete projects in project "myproject"

Version-Release number of selected component (if applicable):
Server https://127.0.0.1:8443
openshift v3.6.173.0.5
kubernetes v1.6.1+5115d708d7

How reproducible:
always

Steps to Reproduce:
see above

Actual results:
Failure to delete project

Expected results:
Successfully delete project

Additional info:

[1] http://pastebin.test.redhat.com/529688

Comment 1 Simo Sorce 2017-11-06 16:43:43 UTC
please provide the output of
oc get serviceaccounts -o json

Comment 2 Will Gordon 2017-11-06 17:26:53 UTC
{
    "apiVersion": "v1",
    "imagePullSecrets": [
        {
            "name": "delete-admin-dockercfg-553lq"
        }
    ],
    "kind": "ServiceAccount",
    "metadata": {
        "creationTimestamp": "2017-11-06T16:05:33Z",
        "name": "delete-admin",
        "namespace": "default",
        "resourceVersion": "1512",
        "selfLink": "/api/v1/namespaces/default/serviceaccounts/delete-admin",
        "uid": "516d04f9-c30c-11e7-a08a-6abe92e081f3"
    },
    "secrets": [
        {
            "name": "delete-admin-dockercfg-553lq"
        },
        {
            "name": "delete-admin-token-l1b05"
        }
    ]
}

Comment 3 Simo Sorce 2017-11-06 17:28:52 UTC
also not that the proper command to add delete-admin to the cluster role is not:
oc adm add-cluster-role-to-user system:service:accounts:default:delete-admin

but it is:
oc adm policy add-cluster-role-to-user delete-projects -z delete-admin


This does not allow me to delete a project either though.

Comment 4 Will Gordon 2017-11-06 17:48:30 UTC
WOW, when was -z added?! That's awesome! The docs still recommend system:serviceaccount:<project>:<sa-name>. [1]

https://docs.openshift.com/container-platform/3.6/dev_guide/service_accounts.html#dev-sa-user-names-and-groups

Comment 5 Mo 2017-11-06 18:46:09 UTC
You are logging in as the SA incorrectly.  The correct way is:

> oc login --token=$(oc sa get-token SA_NAME -n SA_NAMESPACE)

This is clear from the error message:

> Error from server (Forbidden): User "other-admin" cannot ...

If you were logged in as the SA it would say:

> Error from server (Forbidden): User "system:serviceaccount:SA_NAMESPACE:SA_NAME" cannot ...

You can use `oc whoami` to tell what user you are logged in as.

Comment 6 Simo Sorce 2017-11-06 18:51:56 UTC
Ok I have also reproduced and using:
> oc login --token=$(oc sa get-token delete-admin -n default)
> oc delete project myproject 
worked.
Closing NOTABUG

Comment 7 Will Gordon 2017-11-06 18:59:48 UTC
Thanks! That did the trick!


Note You need to log in before you can comment on or make changes to this bug.