Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1519314 - User XXX cannot list authorization.openshift.io.rolebindings in project "XXX"
Summary: User XXX cannot list authorization.openshift.io.rolebindings in project "XXX"
Keywords:
Status: CLOSED DUPLICATE of bug 1500692
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Command Line Interface
Version: 3.7.0
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
: ---
Assignee: Mo
QA Contact: Xingxing Xia
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-30 15:19 UTC by Luiz Carvalho
Modified: 2017-12-01 00:40 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-12-01 00:35:53 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Luiz Carvalho 2017-11-30 15:19:58 UTC
Description of problem:
Cannot add role to service account with oc v3.7.9

$ oc policy add-role-to-user registry-admin -z jian
Error from server (Forbidden): User "jiazha" cannot list authorization.openshift.io.rolebindings in project "asb-apb"

$ oc version
oc v3.7.9
kubernetes v1.7.6+a08f5eeb62
features: Basic-Auth GSSAPI Kerberos SPNEGO
Server https://registry-console.engineering.redhat.com:8443
openshift v3.4.1.7
kubernetes v1.4.0+776c994

Version-Release number of selected component (if applicable):
v3.7.9


How reproducible:
Always


Steps to Reproduce:
1. Create service account
2. add "registry-admin" role to service account

Actual results:
Error from server (Forbidden): User "jiazha" cannot list authorization.openshift.io.rolebindings in project "asb-apb"

Expected results:
Expected role to be added to service account.

Additional info:
This was seen when using oc 3.7 on a 3.4 cluster.

The command with oc v3.4 and oc v3.6 against the same 3.4 cluster
works just fine.

Full Output:
[jzhang@dhcp-141-95 Downloads]$ oc project asb-apb
Now using project "asb-apb" on server "https://registry-console.engineering.redhat.com:8443".

[jzhang@dhcp-141-95 Downloads]$ oc get rolebinding
NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS
registry-viewer /registry-viewer system:unauthenticated 
system:deployers /system:deployer deployer 
system:image-builders /system:image-builder builder 
system:image-pullers /system:image-puller system:serviceaccounts:asb-apb 
admin /admin jiazha 
registry-admin /registry-admin jiazha 

[jzhang@dhcp-141-95 Downloads]$ oc create sa jian
serviceaccount "jian" created

[jzhang@dhcp-141-95 Downloads]$ oc get sa
NAME SECRETS AGE
builder 2 2m
default 2 2m
deployer 2 2m
jian 2 7s

[jzhang@dhcp-141-95 Downloads]$ oc policy add-role-to-user registry-admin -z jian
Error from server (Forbidden): User "jiazha" cannot list authorization.openshift.io.rolebindings in project "asb-apb"

[jzhang@dhcp-141-95 Downloads]$ oc get rolebinding
NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS
system:image-builders /system:image-builder builder 
system:image-pullers /system:image-puller system:serviceaccounts:asb-apb 
admin /admin jiazha 
registry-admin /registry-admin jiazha 
registry-viewer /registry-viewer system:unauthenticated 
system:deployers /system:deployer deployer

Comment 2 Mo 2017-12-01 00:35:53 UTC

*** This bug has been marked as a duplicate of bug 1500692 ***


Note You need to log in before you can comment on or make changes to this bug.