Description
Description of problem:
Customer is using the "oc adm groups sync --type=openshift --sync-config=/config/group_sync.yaml --confirm" command to sync LDAP groups. This works as expected when each group to be synced points to a unique "openshift.io/ldap.uid". As soon as there is a second group that points to the same "ldap.uid", only the newly created group gets synced. We suspect this is a bug in the syncing code that only selects the latest group.
Version-Release number of selected component (if applicable):
OpenShift Container Platform 4.11.25
How reproducible:
Always on customer side, was unable to reproduce it as I do not have access to an LDAP setup in our lab
Steps to Reproduce:
1. Take an LDAP Synced Group (example below)
~~~
kind: Group
apiVersion: user.openshift.io/v1
metadata:
name: admins
labels:
app.kubernetes.io/instance: authorization
openshift.io/ldap.host: ldap.example.com
annotations:
openshift.io/ldap.uid: >-
CN=EXAMPLE-ADM-OPENSHIFT,OU=OpenShift,OU=Global,OU=EXAMPLE-Groups,DC=example,DC=com
openshift.io/ldap.url: 'ldap.example.com:3268'
users:
- rhexample
- rhskrenger
~~~
2. Copy the group and add a "2" suffix to its name ("admin2" in this example)
3. Run "oc adm groups sync" command to update the group
Actual results:
We can see that the group "admin2" appears twice the group in the output of the command: ~~~ group/admin2 group/admin2 ~~~ meaning that instead of syncing the groups "admin" and "admin2" it only syncs "admin2" twice. You can further check that the sync date on the "admin" group has not been updated, only on the "admin2" group it has been
Expected results:
Both the group "admin" and "admin2" are synced
Additional info:
-
Attachments
Issue Links
- causes
-
RFE-4040 Update "oc adm group sync" mechanism to handle duplicate groups
-
- Deferred
-
- links to
-
RHEA-2023:5006
rpm
