diff --git a/pkg/cmd/server/kubernetes/master/master_config_test.go b/pkg/cmd/server/kubernetes/master/master_config_test.go index 0489b114976e..a8685c0cc740 100644 --- a/pkg/cmd/server/kubernetes/master/master_config_test.go +++ b/pkg/cmd/server/kubernetes/master/master_config_test.go @@ -35,6 +35,7 @@ var expectedGroupPreferredVersions []string = []string{ "admissionregistration.k8s.io/v1alpha1", "apps/v1beta1,authentication.k8s.io/v1", "authorization.k8s.io/v1", + "authorization.openshift.io/v1", "autoscaling/v1", "batch/v1", "certificates.k8s.io/v1beta1", diff --git a/test/cmd/authentication.sh b/test/cmd/authentication.sh index be5211b0cc9d..57cc571e91e7 100755 --- a/test/cmd/authentication.sh +++ b/test/cmd/authentication.sh @@ -69,7 +69,7 @@ os::cmd::expect_success_and_text "oc get user/~ --token='${allescalatingpowersto os::cmd::expect_success "oc get secrets --token='${allescalatingpowerstoken}' -n '${project}'" # scopes allow it, but authorization doesn't os::cmd::try_until_failure "oc get secrets --token='${allescalatingpowerstoken}' -n default" -os::cmd::expect_failure_and_text "oc get secrets --token='${allescalatingpowerstoken}' -n default" 'cannot list secrets in project' +os::cmd::expect_failure_and_text "oc get secrets --token='${allescalatingpowerstoken}' -n default" 'cannot list secrets in the namespace' os::cmd::expect_success_and_text "oc get projects --token='${allescalatingpowerstoken}'" "${project}" os::cmd::expect_success_and_text "oc policy can-i --list --token='${allescalatingpowerstoken}' -n '${project}'" 'get.*pods' diff --git a/test/cmd/status.sh b/test/cmd/status.sh index c003f9e75672..46a58cb4614a 100755 --- a/test/cmd/status.sh +++ b/test/cmd/status.sh @@ -44,7 +44,7 @@ os::cmd::expect_success_and_text "oc login --server=${KUBERNETES_MASTER} --certi os::cmd::expect_success_and_text 'oc status' "You don't have any projects. You can try to create a new project, by running" os::cmd::expect_success_and_text 'oc status --all-namespaces' "Showing all projects on server" # make sure `oc status` does not re-use the "no projects" message from `oc login` if -n is specified -os::cmd::expect_failure_and_text 'oc status -n forbidden' 'Error from server \(Forbidden\): User "test-user" cannot get project "forbidden"' +os::cmd::expect_failure_and_text 'oc status -n forbidden' 'Error from server \(Forbidden\): User "test-user" cannot get projects in the namespace "forbidden"' # create a new project os::cmd::expect_success "oc new-project project-bar --display-name='my project' --description='test project'" @@ -52,7 +52,7 @@ os::cmd::expect_success_and_text "oc project" 'Using project "project-bar"' # make sure `oc status` does not use "no projects" message if there is a project created os::cmd::expect_success_and_text 'oc status' "In project my project \(project-bar\) on server" -os::cmd::expect_failure_and_text 'oc status -n forbidden' 'Error from server \(Forbidden\): User "test-user" cannot get project "forbidden"' +os::cmd::expect_failure_and_text 'oc status -n forbidden' 'Error from server \(Forbidden\): User "test-user" cannot get projects in the namespace "forbidden"' # create a second project os::cmd::expect_success "oc new-project project-bar-2 --display-name='my project 2' --description='test project 2'" @@ -62,7 +62,7 @@ os::cmd::expect_success_and_text "oc project" 'Using project "project-bar-2"' # message since `project-bar` still exists os::cmd::expect_success_and_text "oc delete project project-bar-2" 'project "project-bar-2" deleted' # the deletion is asynchronous and can take a while, so wait until we see the error -os::cmd::try_until_text "oc status" 'Error from server \(Forbidden\): User "test-user" cannot get project "project-bar-2"' +os::cmd::try_until_text "oc status" 'Error from server \(Forbidden\): User "test-user" cannot get projects in the namespace "project-bar-2"' # delete "project-bar" and test that `oc status` still does not return the "no projects" message. # Although we are deleting the last remaining project, the current context's namespace is still set @@ -71,7 +71,7 @@ os::cmd::try_until_text "oc status" 'Error from server \(Forbidden\): User "test os::cmd::expect_success "oc project project-bar" os::cmd::expect_success "oc delete project project-bar" # the deletion is asynchronous and can take a while, so wait until we see the error -os::cmd::try_until_text "oc status" 'Error from server \(Forbidden\): User "test-user" cannot get project "project-bar"' +os::cmd::try_until_text "oc status" 'Error from server \(Forbidden\): User "test-user" cannot get projects in the namespace "project-bar"' os::cmd::try_until_not_text "oc get projects" "project-bar" os::cmd::try_until_not_text "oc get projects" "project-bar-2" os::cmd::expect_success "oc logout" diff --git a/test/integration/authorization_test.go b/test/integration/authorization_test.go index ca544fca11fb..f89548cb7a10 100644 --- a/test/integration/authorization_test.go +++ b/test/integration/authorization_test.go @@ -1174,8 +1174,8 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { localReview: askCanEdgarDeletePods, kubeAuthInterface: haroldSARGetter, kubeNamespace: "mallet-project", - err: `User "harold" cannot create localsubjectaccessreviews in project "mallet-project"`, - kubeErr: `User "harold" cannot create localsubjectaccessreviews.authorization.k8s.io in project "mallet-project"`, + err: `User "harold" cannot create localsubjectaccessreviews in the namespace "mallet-project"`, + kubeErr: `User "harold" cannot create localsubjectaccessreviews.authorization.k8s.io in the namespace "mallet-project"`, }.run(t) subjectAccessReviewTest{ description: "system:anonymous denied ability to run subject access review in project mallet-project", @@ -1183,8 +1183,8 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { localReview: askCanEdgarDeletePods, kubeAuthInterface: anonymousSARGetter, kubeNamespace: "mallet-project", - err: `User "system:anonymous" cannot create localsubjectaccessreviews in project "mallet-project"`, - kubeErr: `User "system:anonymous" cannot create localsubjectaccessreviews.authorization.k8s.io in project "mallet-project"`, + err: `User "system:anonymous" cannot create localsubjectaccessreviews in the namespace "mallet-project"`, + kubeErr: `User "system:anonymous" cannot create localsubjectaccessreviews.authorization.k8s.io in the namespace "mallet-project"`, }.run(t) // ensure message does not leak whether the namespace exists or not subjectAccessReviewTest{ @@ -1193,8 +1193,8 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { localReview: askCanEdgarDeletePods, kubeAuthInterface: haroldSARGetter, kubeNamespace: "nonexistent-project", - err: `User "harold" cannot create localsubjectaccessreviews in project "nonexistent-project"`, - kubeErr: `User "harold" cannot create localsubjectaccessreviews.authorization.k8s.io in project "nonexistent-project"`, + err: `User "harold" cannot create localsubjectaccessreviews in the namespace "nonexistent-project"`, + kubeErr: `User "harold" cannot create localsubjectaccessreviews.authorization.k8s.io in the namespace "nonexistent-project"`, }.run(t) subjectAccessReviewTest{ description: "system:anonymous denied ability to run subject access review in project nonexistent-project", @@ -1202,8 +1202,8 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { localReview: askCanEdgarDeletePods, kubeAuthInterface: anonymousSARGetter, kubeNamespace: "nonexistent-project", - err: `User "system:anonymous" cannot create localsubjectaccessreviews in project "nonexistent-project"`, - kubeErr: `User "system:anonymous" cannot create localsubjectaccessreviews.authorization.k8s.io in project "nonexistent-project"`, + err: `User "system:anonymous" cannot create localsubjectaccessreviews in the namespace "nonexistent-project"`, + kubeErr: `User "system:anonymous" cannot create localsubjectaccessreviews.authorization.k8s.io in the namespace "nonexistent-project"`, }.run(t) askCanHaroldUpdateProject := &authorizationapi.LocalSubjectAccessReview{ diff --git a/test/integration/bootstrap_policy_test.go b/test/integration/bootstrap_policy_test.go index 55015c871b04..c537b2b2dd82 100644 --- a/test/integration/bootstrap_policy_test.go +++ b/test/integration/bootstrap_policy_test.go @@ -112,8 +112,8 @@ func TestBootstrapPolicySelfSubjectAccessReviews(t *testing.T) { localReview: askCanClusterAdminsCreateProject, kubeAuthInterface: valerieKubeClient.Authorization(), kubeNamespace: "openshift", - err: `User "valerie" cannot create localsubjectaccessreviews in project "openshift"`, - kubeErr: `User "valerie" cannot create localsubjectaccessreviews.authorization.k8s.io in project "openshift"`, + err: `User "valerie" cannot create localsubjectaccessreviews in the namespace "openshift"`, + kubeErr: `User "valerie" cannot create localsubjectaccessreviews.authorization.k8s.io in the namespace "openshift"`, }.run(t) } diff --git a/test/integration/oauth_cert_fallback_test.go b/test/integration/oauth_cert_fallback_test.go index 32fdf5cd3a8f..f4f243298686 100644 --- a/test/integration/oauth_cert_fallback_test.go +++ b/test/integration/oauth_cert_fallback_test.go @@ -35,7 +35,7 @@ func TestOAuthCertFallback(t *testing.T) { certUser = "system:admin" unauthorizedError = "the server has asked for the client to provide credentials (get users ~)" - anonymousError = `User "system:anonymous" cannot get users at the cluster scope` + anonymousError = `User "system:anonymous" cannot get users at the cluster scope: User "system:anonymous" cannot get users at the cluster scope (get users ~)` ) // Build master config