-
Bug
-
Resolution: Not a Bug
-
Normal
-
None
-
4.12.z
-
None
-
Moderate
-
No
-
False
-
Description of problem:
OpenShift Users with role edit/view can't list their namespaces However able to list the projects. oc get ns Error from server (Forbidden): namespaces is forbidden: User "username" cannot list resource "namespaces" in API group "" at the cluster scope oc get projects NAME DISPLAY NAME STATUS test-1 test1 Active test-2 test2 Active
Version-Release number of selected component (if applicable):
4.12.37
How reproducible:
Always
Steps to Reproduce:
1. Create users in OCP cluster 2. Assign edit and view roles to the user for specific projects 3. Login with the created users 4. Run oc get projects which gives the expected output. 5. Run oc get ns which gives an error
Actual results:
oc get ns Error from server (Forbidden): namespaces is forbidden: User "username" cannot list resource "namespaces" in API group "" at the cluster scope
Expected results:
Customer get the output similar to oc get projects
Additional info:
I was able to replicate it. The steps are as below. 1. Created two users [quickcluster@upi-0 ~]$ htpasswd -c -B -b users.htpasswd user1 user1 Adding password for user user1 [quickcluster@upi-0 ~]$ htpasswd -B -b users.htpasswd user2 user2 2. Adding password for user user1Creating the htpasswd secret [quickcluster@upi-0 ~]$ oc create secret generic htpass-secret --from-file=htpasswd=users.htpasswd -n openshift-config secret/htpass-secret created 3.Creating Htpasswd CR [quickcluster@upi-0 ~]$ cat idp-new apiVersion: config.openshift.io/v1 kind: OAuth metadata: name: cluster spec: identityProviders: - name: my_htpasswd_provider mappingMethod: claim type: HTPasswd htpasswd: fileData: name: htpass-secret 4. Adding an identity provider to your cluster [quickcluster@upi-0 ~]$ oc apply -f idp-new oauth.config.openshift.io/cluster configured 5.Assigned the edit role to the user specifically to the namespace. [quickcluster@upi-0 ~]$ oc adm policy add-role-to-user edit user1 -n demo1 clusterrole.rbac.authorization.k8s.io/edit added: "user1" [quickcluster@upi-0 ~]$ [quickcluster@upi-0 ~]$ [quickcluster@upi-0 ~]$ oc adm policy add-role-to-user edit user1 -n demo2 clusterrole.rbac.authorization.k8s.io/edit added: "user1" [quickcluster@upi-0 ~]$ [quickcluster@upi-0 ~]$ [quickcluster@upi-0 ~]$ oc login -u user1 -p user1 Login successful.You have access to the following projects and can switch between them with 'oc project <projectname>': * default demo1 demo2Using project "default". [quickcluster@upi-0 ~]$ oc get projects NAME DISPLAY NAME STATUS default Active demo1 Active demo2 Active [quickcluster@upi-0 ~]$ oc get ns Error from server (Forbidden): namespaces is forbidden: User "user1" cannot list resource "namespaces" in API group "" at the cluster scope