Origin: oc adm policy add-cluster-role-to-user cluster-admin is not working oc v3.9.0

Created on 14 May 2018  路  6Comments  路  Source: openshift/origin

Description

Executing oc adm policy add-cluster-role-to-user cluster-admin user is not adding cluster admin

Version

oc version

oc v3.9.0+191fece
kubernetes v1.9.1+a0ce1bc657
features: Basic-Auth GSSAPI Kerberos SPNEG

Steps To Reproduce
  1. Install Openshift Client Tools 3.9
  2. Execute oc adm policy add-cluster-role-to-user cluster-admin gbaufake (my user)
  3. Execute oc get clusterrolebindings cluster-admin
Current Result

NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS
cluster-admin /cluster-admin system:masters

Expected Result

NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS
cluster-admin /cluster-admin gbaufake system:master

Additional Information
  • Executing the same command with oc37 (oc v3.7.2+282e43f)
  1. oc37 adm policy add-cluster-role-to-user cluster-admin gbaufake
  2. cluster role "cluster-admin" added: "gbaufake"
  3. oc37 get clusterrolebindings cluster-admin
  • Result:
    NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS
    cluster-admin /cluster-admin gbaufake system:master
sisecurity
Source
picture gbaufake
👍1

Most helpful comment

If you want to add into a specific cluster-role binding then you need to specify it. eg:
oc adm policy add-cluster-role-to-user cluster-admin user --rolebinding-name=cluster-admin

Otherwise a new binding is created, having a different binding name has no functional difference, the user will be a cluster-admin it just uses a separate binding to give the user that role.

picture simo5 on 15 May 2018
👍5

All 6 comments

I can confirm this bug.
It seems that "oc adm policy add-cluster-role-to-user cluster-admin [user]" creates a new ClusterRole Object for every added user.
My User is in the cluster-admin-0 ClusterRole. The user of my colleague is in cluster-admin-1.

Reamer picture Reamer on 15 May 2018
👍2

@openshift/sig-security

jwforres picture jwforres on 15 May 2018

If you want to add into a specific cluster-role binding then you need to specify it. eg:
oc adm policy add-cluster-role-to-user cluster-admin user --rolebinding-name=cluster-admin

Otherwise a new binding is created, having a different binding name has no functional difference, the user will be a cluster-admin it just uses a separate binding to give the user that role.

simo5 picture simo5 on 15 May 2018
👍5

@simo5 Thank you for this clarification.

Reamer picture Reamer on 16 May 2018

@simo5 thanks!

gbaufake picture gbaufake on 16 May 2018

Change in behavior from 3.7 - and not documented anywhere in release notes

sghosh151 picture sghosh151 on 28 Nov 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

enj picture enj  路  4Comments
ibuler picture ibuler  路  4Comments
tnozicka picture tnozicka  路  3Comments
syui picture syui  路  3Comments
alikhajeh1 picture alikhajeh1  路  3Comments