Normal Description of problem:
After assigning the expected role to the group , the user part of the same group is not able to check if user have expected permissions using --as option as below -> --as option is not working as expected : ~~~ $ oc get pods -n project-name --as user4 Error from server (Forbidden): pods is forbidden: User "user-name" cannot list resource "pods" in API group "" in the namespace "project-name" ~~~ However --as with --as-group works fine as expected : ~~~ $ oc get pods -n project-name --as=user-name --as-group=group-name ~~~
Version-Release number of selected component (if applicable):
How reproducible:
100%
Steps to Reproduce:
1. Create a User and a Group. Add user in the group 2. Create a new project. Create new pod and ConfigMap in this project 3. Created 2 roles to get pods and cm and assigned to the group : ~~~ $ oc create role get-pod --verb=get,list --resource=pods -n <project-name> $ oc create role get-cm --verb=get,list --resource=configmaps -n <project-name> $ oc adm policy add-role-to-group get-pod group-name --role-namespace=<project-name> -n <project-name> $ oc adm policy add-role-to-group get-cm group-name --role-namespace=<project-name> -n <project-name> ~~~ 4. Check if user has access to the resources : ~~~ $ oc get pods -n <project-name> --as=user-name $ oc get cm -n <project-name> --as=user-name ~~~
Actual results:
Using --as option in `$ oc get` command is not giving us the expected results However --as option with --as-group option is working as expected.
Expected results:
--as must work with --as-group option in the `$ oc get` command
Additional info:
Created user and added the user in a group: ~~~ $ oc get user NAME UID FULL NAME IDENTITIES user4 f943064d-323d-4140-bc04-f41a13294e1e my_htpasswd_provider:user4 $ oc get group NAME USERS group4 user4 ~~~ Created project , a new app, and a new cm : ~~~ $ oc new-project newpro1 $ oc new-app httpd $ oc create cm test-cm configmap/test-cm created ~~~ Created 2 roles to get pods and cm and assigned to the group : ~~~ $ oc create role get-pod --verb=get,list --resource=pods -n newpro1 role.rbac.authorization.k8s.io/get-pod created $ oc create role get-cm --verb=get,list --resource=configmaps -n newpro1 role.rbac.authorization.k8s.io/get-cm created $ oc adm policy add-role-to-group get-pod group4 --role-namespace=newpro1 -n newpro1 role.rbac.authorization.k8s.io/get-pod added: "group4" $ oc adm policy add-role-to-group get-cm group4 --role-namespace=newpro1 -n newpro1 role.rbac.authorization.k8s.io/get-cm added: "group4" ~~~ Checked using --as option only, it is not working as expected : ~~~ $ oc get pods -n newpro1 --as user4 Error from server (Forbidden): pods is forbidden: User "user4" cannot list resource "pods" in API group "" in the namespace "newpro1" $ oc get cm -n newpro1 --as user4 Error from server (Forbidden): configmaps is forbidden: User "user4" cannot list resource "configmaps" in API group "" in the namespace "newpro1" ~~~ However --as with --as-group works fine : ~~~ $ oc get pods -n newpro1 --as=user4 --as-group=group4 NAME READY STATUS RESTARTS AGE httpd-5bc4d567f7-jwznw 1/1 Running 0 27m ~~~
