Create a customer-defined role, grant permissions a and b, update the role permissions, and grant permissions c and d. 

The expected result is to update the corresponding role permissions to c and d, but the actual result has not been updated and the permissions will be All accumulated, a,b,c,d.

How reproducible:

Always

Steps to Reproduce:

1.Prepare CredentialsRequests file by running

'oc adm release extract --cloud=gcp --credentials-requests $RELEASE_IMAGE --to=./credreqs'

2.Customize a role. Storage CR is used as an example here.

cloud-user@mihuang098:~$ cat ./credreqs/0000_50_cluster-storage-operator_03_credentials_request_gcp.yaml —    permissions:
    - compute.disks.create
    - compute.disks.delete
    - compute.imsges.get
    skipServiceCheck: true

3.Run ccoctl to create GCP resources.

./ccoctl gcp create-all --name=mihuangst3 --project=openshift-qe --region=us-central1 --credentials-requests-dir=./credreqs --output-dir=gcp5 

4.Remove the existing storage permission and replace it with 

- compute.zones.list
- compute.disks.use

5.Run ccoctl to create GCP resources.

./ccoctl gcp create-all --name=mihuangst3 --project=openshift-qe --region=us-central1 --credentials-requests-dir=./credreqs --output-dir=gcp5

Expected result:

role only has these two permissions

- compute.zones.list
- compute.disks.use

Actual results:

After the update, the corresponding permissions were not removed, but all the permissions that appeared were added to the role.

Additional info:

More detailed results are documented in test case OCP-68757