Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oauthclientauthorizations are not repeared or GC'd #15120

Open
enj opened this issue Jul 10, 2017 · 7 comments
Open

oauthclientauthorizations are not repeared or GC'd #15120

enj opened this issue Jul 10, 2017 · 7 comments
Labels
area/security component/auth lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/P2

Comments

@enj
Copy link
Contributor

enj commented Jul 10, 2017

If the client or user no longer exists, the oauthclientauthorization should be deleted.
@enj enj self-assigned this Jul 10, 2017
@enj enj mentioned this issue Jul 10, 2017
Open
@abstractj
Copy link
Contributor

@enj wise Mo. When you get the chance, could you provide the steps to reproduce it? Even if you're going to work on it, I'd like to see the issue.

@enj
Copy link
Contributor Author

enj commented Jul 20, 2017

  1. oc cluster up or equivalent
  2. Go to web console and login as developer
  3. Create new project foo
  4. Create Jenkins + OAuth
  5. Once Jenkins is ready, log into Jenkins as developer using OAuth
  6. Using oc as system:admin, observe that an oauthclientauthorization object is created
  7. In the web console as developer, delete project foo
  8. Use oc to see the now dangling oauthclientauthorization (try to update its scope and it will complain about a missing client)

@abstractj
Copy link
Contributor

abstractj commented Jul 25, 2017
edited
Loading

@enj I managed to reproduce all the steps you mentioned, except the number 8. I couldn't find any docs about how to update oauth scope using oc client.

Would you say that this issue is somewhat related with your comment here openshift/openshift-docs#3404 (comment)? Because delete is not working.

I did exactly what you mentioned at your comments:

$ oc get oauthclientauthorization -o jsonpath="{range .items[*]}{.metadata.name}{\"\\n\"}{end}" | grep -v '::' | xargs -n 1 echo oc delete oauthclientauthorization
$ oc delete oauthclientauthorization developer:system:serviceaccount:foo:jenkins
$ oc get oauthclientauthorization
NAME                                          USER NAME   CLIENT NAME                         SCOPES
developer:system:serviceaccount:foo:jenkins   developer   system:serviceaccount:foo:jenkins   user:info,user:check-access

@enj
Copy link
Contributor Author

enj commented Jul 26, 2017

@abstractj the functionality mentioned in openshift/openshift-docs#3404 (comment) has not been implemented yet, see #11909

To reproduce 8 all you need to do is oc edit oauthclientauthorization <name> and then edit the scope slice with extra data.

@enj enj mentioned this issue Sep 9, 2017
Open
@openshift-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci-robot openshift-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 16, 2018
@enj
Copy link
Contributor Author

enj commented Feb 19, 2018

/lifecycle frozen

@openshift-ci-robot openshift-ci-robot added the lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. label Feb 19, 2018
@enj enj removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Sep 28, 2018
@enj
Copy link
Contributor Author

enj commented Oct 16, 2019

/unassign

@stlaz @sttts @mfojtik

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security component/auth lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/P2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@abstractj @openshift-bot @pweil- @enj @openshift-ci-robot