Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-22454

OpenShift Users with role edit/view can't list their namespaces However able to list the projects

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Normal Normal
    • None
    • 4.12.z
    • oauth-apiserver
    • None
    • Moderate
    • No
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      OpenShift Users with role edit/view can't list their namespaces However able to list the projects.

oc get ns
Error from server (Forbidden): namespaces is forbidden: User "username" cannot list resource "namespaces" in API group "" at the cluster scope

oc get projects
NAME                      DISPLAY NAME        STATUS
test-1                    test1               Active
test-2                    test2               Active

      Version-Release number of selected component (if applicable):

      4.12.37

      How reproducible:

      Always

      Steps to Reproduce:

      1. Create users in OCP cluster
2. Assign edit and view roles to the user for specific projects
3. Login with the created users
4. Run oc get projects which gives the expected output.
5. Run oc get ns which gives an error

      Actual results:

      oc get ns
Error from server (Forbidden): namespaces is forbidden: User "username" cannot list resource "namespaces" in API group "" at the cluster scope

      Expected results:

      Customer get the output similar to oc get projects

      Additional info:

      I was able to replicate it. The steps are as below.

1. Created two users

[quickcluster@upi-0 ~]$ htpasswd -c -B -b users.htpasswd user1 user1
Adding password for user user1
[quickcluster@upi-0 ~]$ htpasswd -B -b users.htpasswd user2 user2

2. Adding password for user user1Creating the htpasswd secret

[quickcluster@upi-0 ~]$ oc create secret generic htpass-secret --from-file=htpasswd=users.htpasswd -n openshift-config
secret/htpass-secret created

3.Creating Htpasswd CR

[quickcluster@upi-0 ~]$ cat idp-new
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - name: my_htpasswd_provider 
    mappingMethod: claim 
    type: HTPasswd
    htpasswd:
      fileData:
        name: htpass-secret

4. Adding an identity provider to your cluster

[quickcluster@upi-0 ~]$ oc apply -f idp-new 
oauth.config.openshift.io/cluster configured

5.Assigned the edit role to the user specifically to the namespace.

[quickcluster@upi-0 ~]$ oc adm policy add-role-to-user edit user1 -n demo1
clusterrole.rbac.authorization.k8s.io/edit added: "user1"
[quickcluster@upi-0 ~]$ 
[quickcluster@upi-0 ~]$ 
[quickcluster@upi-0 ~]$ oc adm policy add-role-to-user edit user1 -n demo2
clusterrole.rbac.authorization.k8s.io/edit added: "user1"
[quickcluster@upi-0 ~]$ 
[quickcluster@upi-0 ~]$ 
[quickcluster@upi-0 ~]$ oc login -u user1 -p user1
Login successful.You have access to the following projects and can switch between them with 'oc project <projectname>':  * default
    demo1
    demo2Using project "default".

[quickcluster@upi-0 ~]$ oc get projects
NAME      DISPLAY NAME   STATUS
default                  Active
demo1                    Active
demo2                    Active

[quickcluster@upi-0 ~]$ oc get ns
Error from server (Forbidden): namespaces is forbidden: User "user1" cannot list resource "namespaces" in API group "" at the cluster scope

            slaznick@redhat.com Stanislav Láznička
            rhn-support-shamkuma Sham Kumar G
            Xingxing Xia Xingxing Xia
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: