osadm policy remove-user doesn't have any effect

[thoraxe]

Steps to recreate:

1. create a project with joe as admin
2. add stuff to project
3. add alice as admin
4. osadm policy remove-user joe

joe can still view and edit

I would expect that after joe is removed he should have no permissions on the project.

[joe@ose3-master beta4]$ osc version
osc v0.5.2.2-22-g84b1674-dirty
kubernetes v0.17.1-804-g496be63

[deads2k]

Please include the output from

1. osc describe clusterpolicy/default osc
2. osc describe clusterpolicybindings/:default
3. osc describe policybindings/:default -n my-project

[liggitt]

wondering if step 4 didn't specify the correct project to remove joe from

[thoraxe]

At what point in the process?

Here is the output after removing joe:

osc describe clusterpolicy/default osc 
when passing arguments in resource/name form, all arguments must include the resource

osc describe clusterpolicybindings/:default 
Name:                       :default
Created:                    42 minutes ago
Labels:                     <none>
Last Modified:                  2015-06-04 08:52:23 -0400 EDT
Policy:                     <none>
RoleBinding[basic-users]:            
                        Role:   basic-user
                        Users:  []
                        Groups: [system:authenticated]
RoleBinding[cluster-admins]:             
                        Role:   cluster-admin
                        Users:  []
                        Groups: [system:cluster-admins]
RoleBinding[cluster-readers]:            
                        Role:   cluster-reader
                        Users:  []
                        Groups: [system:cluster-readers]
RoleBinding[cluster-status-binding]:         
                        Role:   cluster-status
                        Users:  []
                        Groups: [system:authenticated system:unauthenticated]
RoleBinding[self-provisioners]:          
                        Role:   self-provisioner
                        Users:  []
                        Groups: [system:authenticated]
RoleBinding[system:components]:          
                        Role:   system:component
                        Users:  [system:openshift-client]
                        Groups: []
RoleBinding[system:deployers]:           
                        Role:   system:deployer
                        Users:  [system:openshift-deployer]
                        Groups: []
RoleBinding[system:node-proxiers]:       
                        Role:   system:node-proxier
                        Users:  []
                        Groups: [system:nodes]
RoleBinding[system:nodes]:           
                        Role:   system:node
                        Users:  []
                        Groups: [system:nodes]
RoleBinding[system:oauth-token-deleters]:    
                        Role:   system:oauth-token-deleter
                        Users:  []
                        Groups: [system:authenticated system:unauthenticated]
RoleBinding[system:registrys]:           
                        Role:   system:registry
                        Users:  []
                        Groups: [system:registries]
RoleBinding[system:routers]:             
                        Role:   system:router
                        Users:  []
                        Groups: [system:routers]
RoleBinding[system:sdn-readers]:         
                        Role:   system:sdn-reader
                        Users:  []
                        Groups: [system:nodes]
RoleBinding[system:webhooks]:            
                        Role:   system:webhook
                        Users:  []
                        Groups: [system:authenticated system:unauthenticated]

[root@ose3-master beta4]# osc describe policybindings/:default -n demo
Name:                   :default
Created:                31 minutes ago
Labels:                 <none>
Last Modified:          2015-06-04 09:17:23 -0400 EDT
Policy:                 <none>
RoleBinding[admin]:      
                        Role:   admin
                        Users:  [alice joe]
                        Groups: []
RoleBinding[edit]:       
                        Role:   edit
                        Users:  [alice]
                        Groups: []
RoleBinding[view]:       
                        Role:   view
                        Users:  [alice]
                        Groups: []

[liggitt]

and you ran osadm policy remove-user joe -n demo?

[thoraxe]

Step 4 was performed as alice when she was logged into and using the project in question.

I ran osadm policy remove-user joe

[thoraxe]

If I have to specify "-n demo" then it appears that "osadm policy remove-user" doesn't behave like other tools in that:

• It doesn't operate on the current namespace/project by default
• It doesn't give you an error when it does nothing or doesn't like your input

[thoraxe]

Or, worse, it did something somewhere else and didn't tell me what it was doing.

[deads2k]

If I have to specify "-n demo" then it appears that "osadm policy remove-user" doesn't behave like other tools in that:

Output of osc config --view ?

[deads2k]

osc config view

[thoraxe]

As what user in what namespace?

[deads2k]

As what user in what namespace?

whereever you you tried to do the remove-user

[liggitt]

It does use your current namespace, I just wanted to make sure you were operating on the project you thought you were.

I agree that policy commands should be explicit about what happened in response to your command ("Role admin added to user foo in project baz", "User joe removed from project baz", "User joe does not have any roles in project baz", etc)

[thoraxe]

[root@ose3-master beta4]# osc config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: REDACTED
    server: https://ose3-master.example.com:8443
  name: master
- cluster:
    certificate-authority-data: REDACTED
    server: https://ose3-master.example.com:8443
  name: public-master
contexts:
- context:
    cluster: master
    namespace: default
    user: system:openshift-client
  name: default
- context:
    cluster: public-master
    namespace: default
    user: system:openshift-client
  name: public-default
current-context: default
kind: Config
preferences: {}
users:
- name: system:openshift-client
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED

[joe@ose3-master beta4]$ osc config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority: /etc/openshift/master/ca.crt
    server: https://ose3-master.example.com:8443
  name: ose3-master-example-com:8443
contexts:
- context:
    cluster: ose3-master-example-com:8443
    namespace: demo
    user: joe/ose3-master-example-com:8443
  name: demo/ose3-master-example-com:8443/joe
- context:
    cluster: ose3-master-example-com:8443
    namespace: sinatra
    user: joe/ose3-master-example-com:8443
  name: sinatra/ose3-master-example-com:8443/joe
current-context: sinatra/ose3-master-example-com:8443/joe
kind: Config
preferences: {}
users:
- name: joe/ose3-master-example-com:8443
  user:
    token: hLwPoTy2rKuT5fYnYocRsGttGNCCWQUXEgWb5aJHE9c

[alice@ose3-master ~]$ osc project
Using project "demo" from context named "demo/ose3-master-example-com:8443/alice" on server "https://ose3-master.example.com:8443".
[alice@ose3-master ~]$ osadm policy remove-user joe
[alice@ose3-master ~]$ osc config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority: ../../../../etc/openshift/master/ca.crt
    server: https://ose3-master.example.com:8443
  name: ose3-master-example-com:8443
contexts:
- context:
    cluster: ose3-master-example-com:8443
    namespace: demo
    user: alice/ose3-master-example-com:8443
  name: demo/ose3-master-example-com:8443/alice
current-context: demo/ose3-master-example-com:8443/alice
kind: Config
preferences: {}
users:
- name: alice/ose3-master-example-com:8443
  user:
    token: yjL5tiUhPevV9NNq60_Mb26ZY6Uq0SSzRk1asTqxaok

The last one is alice's and was how the remove was run.

[deads2k]

make another issue about this path

clusters:
- cluster:
    certificate-authority: ../../../../etc/openshift/master/ca.crt

[deads2k]

I'm betting you don't have e2529e6

[deads2k]

That bug prevented remove-users from actually removing users (yes, that sounds ridiculous). I'll fix up output so @liggitt can complain about my messages.

[liggitt]

I'll fix up output so @liggitt can complain about my messages.

+1

[thoraxe]

@sdodson looks like we need a particular commit (see #2785 (comment) )