From 73338c4b03df4dc4917351fa7b8c4f4572838cb9 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 12 Jan 2018 15:03:22 -0500 Subject: [PATCH 1/4] Deprecate a bunch of policy commands Push people to use native RBAC commands where reasonable equivalents exist, or where the replacement command will lead to better practices. Signed-off-by: Simo Sorce --- pkg/oc/admin/policy/cani.go | 1 + pkg/oc/admin/policy/modify_roles.go | 8 ++++++++ pkg/oc/admin/policy/reconcile_clusterrolebindings.go | 1 + pkg/oc/admin/policy/reconcile_clusterroles.go | 1 + 4 files changed, 11 insertions(+) diff --git a/pkg/oc/admin/policy/cani.go b/pkg/oc/admin/policy/cani.go index 57d2d69be837..7d88c8b02d02 100644 --- a/pkg/oc/admin/policy/cani.go +++ b/pkg/oc/admin/policy/cani.go @@ -71,6 +71,7 @@ func NewCmdCanI(name, fullName string, f *clientcmd.Factory, out io.Writer) *cob os.Exit(2) } }, + Deprecated: "use 'oc auth can-i'", } cmd.Flags().BoolVar(&o.AllNamespaces, "all-namespaces", o.AllNamespaces, "If true, check the specified action in all namespaces.") diff --git a/pkg/oc/admin/policy/modify_roles.go b/pkg/oc/admin/policy/modify_roles.go index 061c5a331ea2..77128b04899b 100644 --- a/pkg/oc/admin/policy/modify_roles.go +++ b/pkg/oc/admin/policy/modify_roles.go @@ -80,6 +80,7 @@ func NewCmdAddRoleToGroup(name, fullName string, f *clientcmd.Factory, out io.Wr printSuccessForCommand(options.RoleName, true, "group", options.Targets, true, options.DryRun, out) } }, + Deprecated: fmt.Sprintf("Use oc edit rolebinding"), } cmd.Flags().StringVar(&options.RoleBindingName, "rolebinding-name", "", "Name of the rolebinding to modify or create. If left empty, appends to the first rolebinding found for the given role") @@ -113,6 +114,7 @@ func NewCmdAddRoleToUser(name, fullName string, f *clientcmd.Factory, out io.Wri printSuccessForCommand(options.RoleName, true, "user", options.Targets, true, options.DryRun, out) } }, + Deprecated: fmt.Sprintf("Use oc edit rolebinding"), } cmd.Flags().StringVar(&options.RoleBindingName, "rolebinding-name", "", "Name of the rolebinding to modify or create. If left empty, appends to the first rolebinding found for the given role") @@ -145,6 +147,7 @@ func NewCmdRemoveRoleFromGroup(name, fullName string, f *clientcmd.Factory, out printSuccessForCommand(options.RoleName, false, "group", options.Targets, true, options.DryRun, out) } }, + Deprecated: fmt.Sprintf("Use oc edit rolebinding"), } cmd.Flags().StringVar(&options.RoleNamespace, "role-namespace", "", "namespace where the role is located: empty means a role defined in cluster policy") @@ -176,6 +179,7 @@ func NewCmdRemoveRoleFromUser(name, fullName string, f *clientcmd.Factory, out i printSuccessForCommand(options.RoleName, false, "user", options.Targets, true, options.DryRun, out) } }, + Deprecated: fmt.Sprintf("Use oc edit rolebinding"), } cmd.Flags().StringVar(&options.RoleNamespace, "role-namespace", "", "namespace where the role is located: empty means a role defined in cluster policy") @@ -207,6 +211,7 @@ func NewCmdAddClusterRoleToGroup(name, fullName string, f *clientcmd.Factory, ou printSuccessForCommand(options.RoleName, true, "group", options.Targets, false, options.DryRun, out) } }, + Deprecated: fmt.Sprintf("Use oc edit clusterrolebinding"), } cmd.Flags().StringVar(&options.RoleBindingName, "rolebinding-name", "", "Name of the rolebinding to modify or create. If left empty, appends to the first rolebinding found for the given role") @@ -237,6 +242,7 @@ func NewCmdAddClusterRoleToUser(name, fullName string, f *clientcmd.Factory, out printSuccessForCommand(options.RoleName, true, "user", options.Targets, false, options.DryRun, out) } }, + Deprecated: fmt.Sprintf("Use oc edit clusterrolebinding"), } cmd.Flags().StringVar(&options.RoleBindingName, "rolebinding-name", "", "Name of the rolebinding to modify or create. If left empty, appends to the first rolebinding found for the given role") @@ -268,6 +274,7 @@ func NewCmdRemoveClusterRoleFromGroup(name, fullName string, f *clientcmd.Factor printSuccessForCommand(options.RoleName, false, "group", options.Targets, false, options.DryRun, out) } }, + Deprecated: fmt.Sprintf("Use oc edit clusterrolebinding"), } kcmdutil.AddDryRunFlag(cmd) @@ -297,6 +304,7 @@ func NewCmdRemoveClusterRoleFromUser(name, fullName string, f *clientcmd.Factory printSuccessForCommand(options.RoleName, false, "user", options.Targets, false, options.DryRun, out) } }, + Deprecated: fmt.Sprintf("Use oc edit clusterrolebinding"), } cmd.Flags().StringSliceVarP(&saNames, "serviceaccount", "z", saNames, "service account in the current namespace to use as a user") diff --git a/pkg/oc/admin/policy/reconcile_clusterrolebindings.go b/pkg/oc/admin/policy/reconcile_clusterrolebindings.go index d7beed2feef5..ee6b9ec5c60a 100644 --- a/pkg/oc/admin/policy/reconcile_clusterrolebindings.go +++ b/pkg/oc/admin/policy/reconcile_clusterrolebindings.go @@ -104,6 +104,7 @@ func NewCmdReconcileClusterRoleBindings(name, fullName string, f *clientcmd.Fact kcmdutil.CheckErr(err) } }, + Deprecated: "use 'oc auth reconcile'", } cmd.Flags().BoolVar(&o.Confirmed, "confirm", o.Confirmed, "If true, specify that cluster role bindings should be modified. Defaults to false, displaying what would be replaced but not actually replacing anything.") diff --git a/pkg/oc/admin/policy/reconcile_clusterroles.go b/pkg/oc/admin/policy/reconcile_clusterroles.go index 5e848d04604b..765d668e3004 100644 --- a/pkg/oc/admin/policy/reconcile_clusterroles.go +++ b/pkg/oc/admin/policy/reconcile_clusterroles.go @@ -100,6 +100,7 @@ func NewCmdReconcileClusterRoles(name, fullName string, f *clientcmd.Factory, ou kcmdutil.CheckErr(err) } }, + Deprecated: fmt.Sprintf("use 'oc auth reconcile'"), } cmd.Flags().BoolVar(&o.Confirmed, "confirm", o.Confirmed, "If true, specify that cluster roles should be modified. Defaults to false, displaying what would be replaced but not actually replacing anything.") From 3d737765c7ad290cda8bcb5ad4331c984b00096b Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 26 Jan 2018 14:51:08 -0500 Subject: [PATCH 2/4] Make some policy commands behave "better" Instead of deprecating add/remove-role commands, change them to behave better. On add: do not add to a random rolebinding, always create a new rolebinding if none was specified explicitly. On Remove: if a rolebinding name is specified remove only from it. Signed-off-by: Simo Sorce --- pkg/oc/admin/policy/modify_roles.go | 53 +++---- pkg/oc/admin/policy/modify_roles_test.go | 191 +++++++++++++++++++++-- test/cmd/admin.sh | 18 +-- test/cmd/policy.sh | 15 +- 4 files changed, 223 insertions(+), 54 deletions(-) diff --git a/pkg/oc/admin/policy/modify_roles.go b/pkg/oc/admin/policy/modify_roles.go index 77128b04899b..8e3006022177 100644 --- a/pkg/oc/admin/policy/modify_roles.go +++ b/pkg/oc/admin/policy/modify_roles.go @@ -80,10 +80,9 @@ func NewCmdAddRoleToGroup(name, fullName string, f *clientcmd.Factory, out io.Wr printSuccessForCommand(options.RoleName, true, "group", options.Targets, true, options.DryRun, out) } }, - Deprecated: fmt.Sprintf("Use oc edit rolebinding"), } - cmd.Flags().StringVar(&options.RoleBindingName, "rolebinding-name", "", "Name of the rolebinding to modify or create. If left empty, appends to the first rolebinding found for the given role") + cmd.Flags().StringVar(&options.RoleBindingName, "rolebinding-name", "", "Name of the rolebinding to modify or create. If left empty creates a new rolebinding with a default name") cmd.Flags().StringVar(&options.RoleNamespace, "role-namespace", "", "namespace where the role is located: empty means a role defined in cluster policy") kcmdutil.AddDryRunFlag(cmd) @@ -114,10 +113,9 @@ func NewCmdAddRoleToUser(name, fullName string, f *clientcmd.Factory, out io.Wri printSuccessForCommand(options.RoleName, true, "user", options.Targets, true, options.DryRun, out) } }, - Deprecated: fmt.Sprintf("Use oc edit rolebinding"), } - cmd.Flags().StringVar(&options.RoleBindingName, "rolebinding-name", "", "Name of the rolebinding to modify or create. If left empty, appends to the first rolebinding found for the given role") + cmd.Flags().StringVar(&options.RoleBindingName, "rolebinding-name", "", "Name of the rolebinding to modify or create. If left empty creates a new rolebinding with a default name") cmd.Flags().StringVar(&options.RoleNamespace, "role-namespace", "", "namespace where the role is located: empty means a role defined in cluster policy") cmd.Flags().StringSliceVarP(&saNames, "serviceaccount", "z", saNames, "service account in the current namespace to use as a user") @@ -147,9 +145,9 @@ func NewCmdRemoveRoleFromGroup(name, fullName string, f *clientcmd.Factory, out printSuccessForCommand(options.RoleName, false, "group", options.Targets, true, options.DryRun, out) } }, - Deprecated: fmt.Sprintf("Use oc edit rolebinding"), } + cmd.Flags().StringVar(&options.RoleBindingName, "rolebinding-name", "", "Name of the rolebinding to modify. If left empty it will operate on all rolebindings") cmd.Flags().StringVar(&options.RoleNamespace, "role-namespace", "", "namespace where the role is located: empty means a role defined in cluster policy") kcmdutil.AddDryRunFlag(cmd) @@ -179,9 +177,9 @@ func NewCmdRemoveRoleFromUser(name, fullName string, f *clientcmd.Factory, out i printSuccessForCommand(options.RoleName, false, "user", options.Targets, true, options.DryRun, out) } }, - Deprecated: fmt.Sprintf("Use oc edit rolebinding"), } + cmd.Flags().StringVar(&options.RoleBindingName, "rolebinding-name", "", "Name of the rolebinding to modify. If left empty it will operate on all rolebindings") cmd.Flags().StringVar(&options.RoleNamespace, "role-namespace", "", "namespace where the role is located: empty means a role defined in cluster policy") cmd.Flags().StringSliceVarP(&saNames, "serviceaccount", "z", saNames, "service account in the current namespace to use as a user") @@ -211,10 +209,9 @@ func NewCmdAddClusterRoleToGroup(name, fullName string, f *clientcmd.Factory, ou printSuccessForCommand(options.RoleName, true, "group", options.Targets, false, options.DryRun, out) } }, - Deprecated: fmt.Sprintf("Use oc edit clusterrolebinding"), } - cmd.Flags().StringVar(&options.RoleBindingName, "rolebinding-name", "", "Name of the rolebinding to modify or create. If left empty, appends to the first rolebinding found for the given role") + cmd.Flags().StringVar(&options.RoleBindingName, "rolebinding-name", "", "Name of the rolebinding to modify or create. If left empty creates a new rolebinding with a default name") kcmdutil.AddDryRunFlag(cmd) kcmdutil.AddPrinterFlags(cmd) return cmd @@ -242,10 +239,9 @@ func NewCmdAddClusterRoleToUser(name, fullName string, f *clientcmd.Factory, out printSuccessForCommand(options.RoleName, true, "user", options.Targets, false, options.DryRun, out) } }, - Deprecated: fmt.Sprintf("Use oc edit clusterrolebinding"), } - cmd.Flags().StringVar(&options.RoleBindingName, "rolebinding-name", "", "Name of the rolebinding to modify or create. If left empty, appends to the first rolebinding found for the given role") + cmd.Flags().StringVar(&options.RoleBindingName, "rolebinding-name", "", "Name of the rolebinding to modify or create. If left empty creates a new rolebinding with a default name") cmd.Flags().StringSliceVarP(&saNames, "serviceaccount", "z", saNames, "service account in the current namespace to use as a user") kcmdutil.AddDryRunFlag(cmd) @@ -274,9 +270,10 @@ func NewCmdRemoveClusterRoleFromGroup(name, fullName string, f *clientcmd.Factor printSuccessForCommand(options.RoleName, false, "group", options.Targets, false, options.DryRun, out) } }, - Deprecated: fmt.Sprintf("Use oc edit clusterrolebinding"), } + cmd.Flags().StringVar(&options.RoleBindingName, "rolebinding-name", "", "Name of the rolebinding to modify. If left empty it will operate on all rolebindings") + kcmdutil.AddDryRunFlag(cmd) kcmdutil.AddPrinterFlags(cmd) return cmd @@ -304,9 +301,9 @@ func NewCmdRemoveClusterRoleFromUser(name, fullName string, f *clientcmd.Factory printSuccessForCommand(options.RoleName, false, "user", options.Targets, false, options.DryRun, out) } }, - Deprecated: fmt.Sprintf("Use oc edit clusterrolebinding"), } + cmd.Flags().StringVar(&options.RoleBindingName, "rolebinding-name", "", "Name of the rolebinding to modify. If left empty it will operate on all rolebindings") cmd.Flags().StringSliceVarP(&saNames, "serviceaccount", "z", saNames, "service account in the current namespace to use as a user") kcmdutil.AddDryRunFlag(cmd) @@ -436,18 +433,7 @@ func (o *RoleModificationOptions) getUserSpecifiedBinding() (*authorizationapi.R } func (o *RoleModificationOptions) getUnspecifiedBinding() (*authorizationapi.RoleBinding, bool /* isUpdate */, error) { - // Look for existing bindings by role. - roleBindings, err := o.RoleBindingAccessor.GetExistingRoleBindingsForRole(o.RoleNamespace, o.RoleName) - if err != nil { - return nil, false, err - } - - if len(roleBindings) > 0 { - // only need to add the user or group to a single roleBinding on the role. Just choose the first one - return roleBindings[0], true, nil - } - - // Create a new rolebinding with the default naming. + // Always create a new role binding with the default naming roleBinding := &authorizationapi.RoleBinding{} roleBindingNames, err := o.RoleBindingAccessor.GetExistingRoleBindingNames() if err != nil { @@ -520,9 +506,20 @@ subjectCheck: } func (o *RoleModificationOptions) RemoveRole() error { - roleBindings, err := o.RoleBindingAccessor.GetExistingRoleBindingsForRole(o.RoleNamespace, o.RoleName) - if err != nil { - return err + var roleBindings []*authorizationapi.RoleBinding + var err error + if len(o.RoleBindingName) > 0 { + existingRoleBinding, err := o.RoleBindingAccessor.GetRoleBinding(o.RoleBindingName) + if err != nil { + return err + } + roleBindings = make([]*authorizationapi.RoleBinding, 1) + roleBindings[0] = existingRoleBinding + } else { + roleBindings, err = o.RoleBindingAccessor.GetExistingRoleBindingsForRole(o.RoleNamespace, o.RoleName) + if err != nil { + return err + } } if len(roleBindings) == 0 { return fmt.Errorf("unable to locate RoleBinding for %v/%v", o.RoleNamespace, o.RoleName) @@ -554,7 +551,7 @@ func (o *RoleModificationOptions) RemoveRole() error { for _, roleBinding := range roleBindings { roleBinding.Subjects = removeSubjects(roleBinding.Subjects, subjectsToRemove) - err = o.RoleBindingAccessor.UpdateRoleBinding(roleBinding) + err := o.RoleBindingAccessor.UpdateRoleBinding(roleBinding) if err != nil { return err } diff --git a/pkg/oc/admin/policy/modify_roles_test.go b/pkg/oc/admin/policy/modify_roles_test.go index da5ace0eeed8..60ab18ea745b 100644 --- a/pkg/oc/admin/policy/modify_roles_test.go +++ b/pkg/oc/admin/policy/modify_roles_test.go @@ -1,6 +1,7 @@ package policy import ( + "fmt" "reflect" "testing" @@ -13,6 +14,7 @@ import ( func TestModifyNamedClusterRoleBinding(t *testing.T) { tests := map[string]struct { + action string inputRole string inputRoleBindingName string inputSubjects []string @@ -22,6 +24,7 @@ func TestModifyNamedClusterRoleBinding(t *testing.T) { }{ // no name provided - create "edit" for role "edit" "create-clusterrolebinding": { + action: "add", inputRole: "edit", inputSubjects: []string{ "foo", @@ -36,6 +39,7 @@ func TestModifyNamedClusterRoleBinding(t *testing.T) { }, // name provided - create "custom" for role "edit" "create-named-clusterrolebinding": { + action: "add", inputRole: "edit", inputRoleBindingName: "custom", inputSubjects: []string{ @@ -51,6 +55,7 @@ func TestModifyNamedClusterRoleBinding(t *testing.T) { }, // name provided - modify "custom" "update-named-clusterrolebinding": { + action: "add", inputRole: "edit", inputRoleBindingName: "custom", inputSubjects: []string{ @@ -86,15 +91,52 @@ func TestModifyNamedClusterRoleBinding(t *testing.T) { }, }, }, - // no name provided - modify "edit" + // name provided - remove from "custom" + "remove-named-clusterrolebinding": { + action: "remove", + inputRole: "edit", + inputRoleBindingName: "custom", + inputSubjects: []string{ + "baz", + }, + expectedRoleBindingName: "custom", + expectedSubjects: []string{ + "bar", + }, + existingClusterRoleBindings: &authorizationapi.ClusterRoleBindingList{ + Items: []authorizationapi.ClusterRoleBinding{{ + ObjectMeta: metav1.ObjectMeta{ + Name: "edit", + }, + Subjects: []kapi.ObjectReference{{ + Name: "foo", + Kind: authorizationapi.UserKind, + }}, + RoleRef: kapi.ObjectReference{ + Name: "edit", + }}, { + ObjectMeta: metav1.ObjectMeta{ + Name: "custom", + }, + Subjects: []kapi.ObjectReference{ + {Name: "bar", Kind: authorizationapi.UserKind}, + {Name: "baz", Kind: authorizationapi.UserKind}, + }, + RoleRef: kapi.ObjectReference{ + Name: "edit", + }}, + }, + }, + }, + // no name provided - creates "edit-0" "update-default-clusterrolebinding": { + action: "add", inputRole: "edit", inputSubjects: []string{ "baz", }, - expectedRoleBindingName: "edit", + expectedRoleBindingName: "edit-0", expectedSubjects: []string{ - "foo", "baz", }, existingClusterRoleBindings: &authorizationapi.ClusterRoleBindingList{ @@ -122,6 +164,44 @@ func TestModifyNamedClusterRoleBinding(t *testing.T) { }, }, }, + // no name provided - removes "baz" + "remove-default-clusterrolebinding": { + action: "remove", + inputRole: "edit", + inputSubjects: []string{ + "baz", + }, + expectedRoleBindingName: "edit", + expectedSubjects: []string{ + "foo", + }, + existingClusterRoleBindings: &authorizationapi.ClusterRoleBindingList{ + Items: []authorizationapi.ClusterRoleBinding{{ + ObjectMeta: metav1.ObjectMeta{ + Name: "edit", + }, + Subjects: []kapi.ObjectReference{ + {Name: "foo", Kind: authorizationapi.UserKind}, + {Name: "baz", Kind: authorizationapi.UserKind}, + }, + RoleRef: kapi.ObjectReference{ + Name: "edit", + }}, { + ObjectMeta: metav1.ObjectMeta{ + Name: "custom", + Namespace: metav1.NamespaceDefault, + }, + Subjects: []kapi.ObjectReference{{ + Name: "bar", + Kind: authorizationapi.UserKind, + }}, + RoleRef: kapi.ObjectReference{ + Name: "edit", + Namespace: metav1.NamespaceDefault, + }}, + }, + }, + }, } for tcName, tc := range tests { // Set up modifier options and run AddRole() @@ -132,12 +212,13 @@ func TestModifyNamedClusterRoleBinding(t *testing.T) { RoleBindingAccessor: NewClusterRoleBindingAccessor(fakeauthorizationclient.NewSimpleClientset(tc.existingClusterRoleBindings).Authorization()), } - addRoleAndCheck(t, o, tcName, tc.expectedRoleBindingName, tc.expectedSubjects) + modifyRoleAndCheck(t, o, tcName, tc.action, tc.expectedRoleBindingName, tc.expectedSubjects) } } func TestModifyNamedLocalRoleBinding(t *testing.T) { tests := map[string]struct { + action string inputRole string inputRoleBindingName string inputSubjects []string @@ -147,6 +228,7 @@ func TestModifyNamedLocalRoleBinding(t *testing.T) { }{ // no name provided - create "edit" for role "edit" "create-rolebinding": { + action: "add", inputRole: "edit", inputSubjects: []string{ "foo", @@ -161,6 +243,7 @@ func TestModifyNamedLocalRoleBinding(t *testing.T) { }, // name provided - create "custom" for role "edit" "create-named-binding": { + action: "add", inputRole: "edit", inputRoleBindingName: "custom", inputSubjects: []string{ @@ -176,13 +259,13 @@ func TestModifyNamedLocalRoleBinding(t *testing.T) { }, // no name provided - modify "edit" "update-default-binding": { + action: "add", inputRole: "edit", inputSubjects: []string{ "baz", }, - expectedRoleBindingName: "edit", + expectedRoleBindingName: "edit-0", expectedSubjects: []string{ - "foo", "baz", }, existingRoleBindings: &authorizationapi.RoleBindingList{ @@ -214,8 +297,49 @@ func TestModifyNamedLocalRoleBinding(t *testing.T) { }, }, }, + // no name provided - remove "bar" + "remove-default-binding": { + action: "remove", + inputRole: "edit", + inputSubjects: []string{ + "foo", + }, + expectedRoleBindingName: "edit", + expectedSubjects: []string{ + "baz", + }, + existingRoleBindings: &authorizationapi.RoleBindingList{ + Items: []authorizationapi.RoleBinding{{ + ObjectMeta: metav1.ObjectMeta{ + Name: "edit", + Namespace: metav1.NamespaceDefault, + }, + Subjects: []kapi.ObjectReference{ + {Name: "foo", Kind: authorizationapi.UserKind}, + {Name: "baz", Kind: authorizationapi.UserKind}, + }, + RoleRef: kapi.ObjectReference{ + Name: "edit", + Namespace: metav1.NamespaceDefault, + }}, { + ObjectMeta: metav1.ObjectMeta{ + Name: "custom", + Namespace: metav1.NamespaceDefault, + }, + Subjects: []kapi.ObjectReference{{ + Name: "bar", + Kind: authorizationapi.UserKind, + }}, + RoleRef: kapi.ObjectReference{ + Name: "edit", + Namespace: metav1.NamespaceDefault, + }}, + }, + }, + }, // name provided - modify "custom" "update-named-binding": { + action: "add", inputRole: "edit", inputRoleBindingName: "custom", inputSubjects: []string{ @@ -255,6 +379,47 @@ func TestModifyNamedLocalRoleBinding(t *testing.T) { }, }, }, + // name provided - modify "custom" + "remove-named-binding": { + action: "remove", + inputRole: "edit", + inputRoleBindingName: "custom", + inputSubjects: []string{ + "baz", + }, + expectedRoleBindingName: "custom", + expectedSubjects: []string{ + "bar", + }, + existingRoleBindings: &authorizationapi.RoleBindingList{ + Items: []authorizationapi.RoleBinding{{ + ObjectMeta: metav1.ObjectMeta{ + Name: "edit", + Namespace: metav1.NamespaceDefault, + }, + Subjects: []kapi.ObjectReference{{ + Name: "foo", + Kind: authorizationapi.UserKind, + }}, + RoleRef: kapi.ObjectReference{ + Name: "edit", + Namespace: metav1.NamespaceDefault, + }}, { + ObjectMeta: metav1.ObjectMeta{ + Name: "custom", + Namespace: metav1.NamespaceDefault, + }, + Subjects: []kapi.ObjectReference{ + {Name: "bar", Kind: authorizationapi.UserKind}, + {Name: "baz", Kind: authorizationapi.UserKind}, + }, + RoleRef: kapi.ObjectReference{ + Name: "edit", + Namespace: metav1.NamespaceDefault, + }}, + }, + }, + }, } for tcName, tc := range tests { // Set up modifier options and run AddRole() @@ -266,12 +431,20 @@ func TestModifyNamedLocalRoleBinding(t *testing.T) { RoleBindingAccessor: NewLocalRoleBindingAccessor(metav1.NamespaceDefault, fakeauthorizationclient.NewSimpleClientset(tc.existingRoleBindings).Authorization()), } - addRoleAndCheck(t, o, tcName, tc.expectedRoleBindingName, tc.expectedSubjects) + modifyRoleAndCheck(t, o, tcName, tc.action, tc.expectedRoleBindingName, tc.expectedSubjects) } } -func addRoleAndCheck(t *testing.T, o *RoleModificationOptions, tcName, expectedName string, expectedSubjects []string) { - err := o.AddRole() +func modifyRoleAndCheck(t *testing.T, o *RoleModificationOptions, tcName, action string, expectedName string, expectedSubjects []string) { + var err error + switch action { + case "add": + err = o.AddRole() + case "remove": + err = o.RemoveRole() + default: + err = fmt.Errorf("Invalid action %s", action) + } if err != nil { t.Errorf("%s: unexpected err %v", tcName, err) } diff --git a/test/cmd/admin.sh b/test/cmd/admin.sh index 506536acdad0..ea184820932e 100755 --- a/test/cmd/admin.sh +++ b/test/cmd/admin.sh @@ -141,13 +141,13 @@ os::cmd::expect_success_and_text 'oc adm policy who-can get hpa.autoscaling -n d os::cmd::expect_success_and_text 'oc adm policy who-can get hpa.v1.autoscaling -n default' "Resource: horizontalpodautoscalers.autoscaling" os::cmd::expect_success_and_text 'oc adm policy who-can get hpa -n default' "Resource: horizontalpodautoscalers.autoscaling" -os::cmd::expect_success 'oc adm policy add-role-to-group cluster-admin system:unauthenticated' -os::cmd::expect_success 'oc adm policy add-role-to-user cluster-admin system:no-user' -os::cmd::expect_success 'oc adm policy add-role-to-user admin -z fake-sa' +os::cmd::expect_success 'oc adm policy add-role-to-group --rolebinding-name=cluster-admin cluster-admin system:unauthenticated' +os::cmd::expect_success 'oc adm policy add-role-to-user --rolebinding-name=cluster-admin cluster-admin system:no-user' +os::cmd::expect_success 'oc adm policy add-role-to-user --rolebinding-name=admin admin -z fake-sa' os::cmd::expect_success_and_text 'oc get rolebinding/admin -o jsonpath={.subjects}' 'fake-sa' os::cmd::expect_success 'oc adm policy remove-role-from-user admin -z fake-sa' os::cmd::expect_success_and_not_text 'oc get rolebinding/admin -o jsonpath={.subjects}' 'fake-sa' -os::cmd::expect_success 'oc adm policy add-role-to-user admin -z fake-sa' +os::cmd::expect_success 'oc adm policy add-role-to-user --rolebinding-name=admin admin -z fake-sa' os::cmd::expect_success_and_text 'oc get rolebinding/admin -o jsonpath={.subjects}' 'fake-sa' os::cmd::expect_success "oc adm policy remove-role-from-user admin system:serviceaccount:$(oc project -q):fake-sa" os::cmd::expect_success_and_not_text 'oc get rolebinding/admin -o jsonpath={.subjects}' 'fake-sa' @@ -296,7 +296,7 @@ os::test::junit::declare_suite_start "cmd/admin/ui-project-commands" # Test the commands the UI projects page tells users to run # These should match what is described in projects.html os::cmd::expect_success 'oc adm new-project ui-test-project --admin="createuser"' -os::cmd::expect_success 'oc adm policy add-role-to-user admin adduser -n ui-test-project' +os::cmd::expect_success 'oc adm policy add-role-to-user --rolebinding-name=admin admin adduser -n ui-test-project' # Make sure project can be listed by oc (after auth cache syncs) os::cmd::try_until_text 'oc get projects' 'ui\-test\-project' # Make sure users got added @@ -452,10 +452,10 @@ os::cmd::expect_success_and_text 'oc adm groups new orphaned-group cascaded-user # Add roles, sccs to users/groups os::cmd::expect_success 'oc adm policy add-scc-to-user restricted cascaded-user orphaned-user' os::cmd::expect_success 'oc adm policy add-scc-to-group restricted cascaded-group orphaned-group' -os::cmd::expect_success 'oc adm policy add-role-to-user cluster-admin cascaded-user orphaned-user -n default' -os::cmd::expect_success 'oc adm policy add-role-to-group cluster-admin cascaded-group orphaned-group -n default' -os::cmd::expect_success 'oc adm policy add-cluster-role-to-user cluster-admin cascaded-user orphaned-user' -os::cmd::expect_success 'oc adm policy add-cluster-role-to-group cluster-admin cascaded-group orphaned-group' +os::cmd::expect_success 'oc adm policy add-role-to-user --rolebinding-name=cluster-admin cluster-admin cascaded-user orphaned-user -n default' +os::cmd::expect_success 'oc adm policy add-role-to-group --rolebinding-name=cluster-admin cluster-admin cascaded-group orphaned-group -n default' +os::cmd::expect_success 'oc adm policy add-cluster-role-to-user --rolebinding-name=cluster-admin cluster-admin cascaded-user orphaned-user' +os::cmd::expect_success 'oc adm policy add-cluster-role-to-group --rolebinding-name=cluster-admin cluster-admin cascaded-group orphaned-group' # Delete users os::cmd::expect_success 'oc delete user cascaded-user' diff --git a/test/cmd/policy.sh b/test/cmd/policy.sh index 6c1f212978d6..72f703d25f96 100755 --- a/test/cmd/policy.sh +++ b/test/cmd/policy.sh @@ -50,22 +50,21 @@ os::cmd::expect_failure_and_text 'oc policy add-role-to-user' 'you must specify os::cmd::expect_failure_and_text 'oc policy add-role-to-user -z NamespaceWithoutRole' 'you must specify a role' os::cmd::expect_failure_and_text 'oc policy add-role-to-user view' 'you must specify at least one user or service account' -os::cmd::expect_success_and_text 'oc policy add-role-to-group cluster-admin system:unauthenticated' 'role "cluster-admin" added: "system:unauthenticated"' -os::cmd::expect_success_and_text 'oc policy add-role-to-user cluster-admin system:no-user' 'role "cluster-admin" added: "system:no-user"' +os::cmd::expect_success_and_text 'oc policy add-role-to-group cluster-admin --rolebinding-name cluster-admin system:unauthenticated' 'role "cluster-admin" added: "system:unauthenticated"' +os::cmd::expect_success_and_text 'oc policy add-role-to-user --rolebinding-name cluster-admin cluster-admin system:no-user' 'role "cluster-admin" added: "system:no-user"' os::cmd::expect_success 'oc get rolebinding/cluster-admin --no-headers' os::cmd::expect_success_and_text 'oc get rolebinding/cluster-admin --no-headers' 'system:no-user' -os::cmd::expect_success_and_text 'oc policy add-role-to-user cluster-admin -z=one,two --serviceaccount=three,four' 'role "cluster-admin" added: \["one" "two" "three" "four"\]' +os::cmd::expect_success_and_text 'oc policy add-role-to-user --rolebinding-name cluster-admin cluster-admin -z=one,two --serviceaccount=three,four' 'role "cluster-admin" added: \["one" "two" "three" "four"\]' os::cmd::expect_success 'oc get rolebinding/cluster-admin --no-headers' os::cmd::expect_success_and_text 'oc get rolebinding/cluster-admin --no-headers' 'one' os::cmd::expect_success_and_text 'oc get rolebinding/cluster-admin --no-headers' 'four' -os::cmd::expect_success_and_text 'oc policy remove-role-from-group cluster-admin system:unauthenticated' 'role "cluster-admin" removed: "system:unauthenticated"' +os::cmd::expect_success_and_text 'oc policy remove-role-from-group --rolebinding-name cluster-admin cluster-admin system:unauthenticated' 'role "cluster-admin" removed: "system:unauthenticated"' -os::cmd::expect_success_and_text 'oc policy remove-role-from-user cluster-admin system:no-user' 'role "cluster-admin" removed: "system:no-user"' -os::cmd::expect_success_and_text 'oc policy remove-role-from-user cluster-admin -z=one,two --serviceaccount=three,four' 'role "cluster-admin" removed: \["one" "two" "three" "four"\]' -os::cmd::expect_success 'oc get rolebinding/cluster-admin --no-headers' -os::cmd::expect_success_and_not_text 'oc get rolebinding/cluster-admin --no-headers' 'four' +os::cmd::expect_success_and_text 'oc policy remove-role-from-user --rolebinding-name cluster-admin cluster-admin system:no-user' 'role "cluster-admin" removed: "system:no-user"' +os::cmd::expect_success_and_text 'oc policy remove-role-from-user --rolebinding-name cluster-admin cluster-admin -z=one,two --serviceaccount=three,four' 'role "cluster-admin" removed: \["one" "two" "three" "four"\]' +os::cmd::expect_failure_and_text 'oc get rolebinding/cluster-admin --no-headers' 'NotFound' os::cmd::expect_success 'oc policy remove-group system:unauthenticated' os::cmd::expect_success 'oc policy remove-user system:no-user' From 707c4434ede416df0c0b5c49d38364763c8f4701 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 29 Jan 2018 12:05:15 -0500 Subject: [PATCH 3/4] Remove empty role bindings when removing subjects --- pkg/oc/admin/policy/modify_roles.go | 6 +++++- pkg/oc/admin/policy/policy.go | 9 +++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/pkg/oc/admin/policy/modify_roles.go b/pkg/oc/admin/policy/modify_roles.go index 8e3006022177..b360eb05eaef 100644 --- a/pkg/oc/admin/policy/modify_roles.go +++ b/pkg/oc/admin/policy/modify_roles.go @@ -551,7 +551,11 @@ func (o *RoleModificationOptions) RemoveRole() error { for _, roleBinding := range roleBindings { roleBinding.Subjects = removeSubjects(roleBinding.Subjects, subjectsToRemove) - err := o.RoleBindingAccessor.UpdateRoleBinding(roleBinding) + if len(roleBinding.Subjects) > 0 { + err = o.RoleBindingAccessor.UpdateRoleBinding(roleBinding) + } else { + err = o.RoleBindingAccessor.DeleteRoleBinding(roleBinding.Name) + } if err != nil { return err } diff --git a/pkg/oc/admin/policy/policy.go b/pkg/oc/admin/policy/policy.go index 448b2d0a680b..b2464689808e 100644 --- a/pkg/oc/admin/policy/policy.go +++ b/pkg/oc/admin/policy/policy.go @@ -121,6 +121,7 @@ type RoleBindingAccessor interface { GetRoleBinding(name string) (*authorizationapi.RoleBinding, error) UpdateRoleBinding(binding *authorizationapi.RoleBinding) error CreateRoleBinding(binding *authorizationapi.RoleBinding) error + DeleteRoleBinding(name string) error } // LocalRoleBindingAccessor operates against role bindings in namespace @@ -181,6 +182,10 @@ func (a LocalRoleBindingAccessor) CreateRoleBinding(binding *authorizationapi.Ro return err } +func (a LocalRoleBindingAccessor) DeleteRoleBinding(name string) error { + return a.Client.RoleBindings(a.BindingNamespace).Delete(name, &metav1.DeleteOptions{}) +} + // ClusterRoleBindingAccessor operates against cluster scoped role bindings type ClusterRoleBindingAccessor struct { Client authorizationtypedclient.ClusterRoleBindingsGetter @@ -249,3 +254,7 @@ func (a ClusterRoleBindingAccessor) CreateRoleBinding(binding *authorizationapi. _, err := a.Client.ClusterRoleBindings().Create(clusterBinding) return err } + +func (a ClusterRoleBindingAccessor) DeleteRoleBinding(name string) error { + return a.Client.ClusterRoleBindings().Delete(name, &metav1.DeleteOptions{}) +} From 728f1701eda5ae4d2054e4317368f96fe88e9699 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 26 Jan 2018 15:11:47 -0500 Subject: [PATCH 4/4] Generated files --- contrib/completions/bash/oc | 249 ++---------------------------------- contrib/completions/zsh/oc | 249 ++---------------------------------- 2 files changed, 24 insertions(+), 474 deletions(-) diff --git a/contrib/completions/bash/oc b/contrib/completions/bash/oc index 0c43c136f413..80e6f0b3693c 100644 --- a/contrib/completions/bash/oc +++ b/contrib/completions/bash/oc @@ -5330,154 +5330,6 @@ _oc_adm_policy_add-scc-to-user() noun_aliases=() } -_oc_adm_policy_reconcile-cluster-role-bindings() -{ - last_command="oc_adm_policy_reconcile-cluster-role-bindings" - commands=() - - flags=() - two_word_flags=() - local_nonpersistent_flags=() - flags_with_completion=() - flags_completion=() - - flags+=("--additive-only") - local_nonpersistent_flags+=("--additive-only") - flags+=("--allow-missing-template-keys") - local_nonpersistent_flags+=("--allow-missing-template-keys") - flags+=("--confirm") - local_nonpersistent_flags+=("--confirm") - flags+=("--exclude-groups=") - local_nonpersistent_flags+=("--exclude-groups=") - flags+=("--exclude-users=") - local_nonpersistent_flags+=("--exclude-users=") - flags+=("--no-headers") - local_nonpersistent_flags+=("--no-headers") - flags+=("--output=") - two_word_flags+=("-o") - local_nonpersistent_flags+=("--output=") - flags+=("--output-version=") - local_nonpersistent_flags+=("--output-version=") - flags+=("--show-all") - flags+=("-a") - local_nonpersistent_flags+=("--show-all") - flags+=("--show-labels") - local_nonpersistent_flags+=("--show-labels") - flags+=("--sort-by=") - local_nonpersistent_flags+=("--sort-by=") - flags+=("--template=") - flags_with_completion+=("--template") - flags_completion+=("_filedir") - local_nonpersistent_flags+=("--template=") - flags+=("--as=") - flags+=("--as-group=") - flags+=("--cache-dir=") - flags+=("--certificate-authority=") - flags_with_completion+=("--certificate-authority") - flags_completion+=("_filedir") - flags+=("--client-certificate=") - flags_with_completion+=("--client-certificate") - flags_completion+=("_filedir") - flags+=("--client-key=") - flags_with_completion+=("--client-key") - flags_completion+=("_filedir") - flags+=("--cluster=") - flags+=("--config=") - flags_with_completion+=("--config") - flags_completion+=("_filedir") - flags+=("--context=") - flags+=("--insecure-skip-tls-verify") - flags+=("--log-flush-frequency=") - flags+=("--loglevel=") - flags+=("--logspec=") - flags+=("--match-server-version") - flags+=("--namespace=") - two_word_flags+=("-n") - flags+=("--request-timeout=") - flags+=("--server=") - flags+=("--token=") - flags+=("--user=") - flags+=("--v=") - flags+=("--version") - flags+=("--vmodule=") - - must_have_one_flag=() - must_have_one_noun=() - noun_aliases=() -} - -_oc_adm_policy_reconcile-cluster-roles() -{ - last_command="oc_adm_policy_reconcile-cluster-roles" - commands=() - - flags=() - two_word_flags=() - local_nonpersistent_flags=() - flags_with_completion=() - flags_completion=() - - flags+=("--additive-only") - local_nonpersistent_flags+=("--additive-only") - flags+=("--allow-missing-template-keys") - local_nonpersistent_flags+=("--allow-missing-template-keys") - flags+=("--confirm") - local_nonpersistent_flags+=("--confirm") - flags+=("--no-headers") - local_nonpersistent_flags+=("--no-headers") - flags+=("--output=") - two_word_flags+=("-o") - local_nonpersistent_flags+=("--output=") - flags+=("--output-version=") - local_nonpersistent_flags+=("--output-version=") - flags+=("--show-all") - flags+=("-a") - local_nonpersistent_flags+=("--show-all") - flags+=("--show-labels") - local_nonpersistent_flags+=("--show-labels") - flags+=("--sort-by=") - local_nonpersistent_flags+=("--sort-by=") - flags+=("--template=") - flags_with_completion+=("--template") - flags_completion+=("_filedir") - local_nonpersistent_flags+=("--template=") - flags+=("--as=") - flags+=("--as-group=") - flags+=("--cache-dir=") - flags+=("--certificate-authority=") - flags_with_completion+=("--certificate-authority") - flags_completion+=("_filedir") - flags+=("--client-certificate=") - flags_with_completion+=("--client-certificate") - flags_completion+=("_filedir") - flags+=("--client-key=") - flags_with_completion+=("--client-key") - flags_completion+=("_filedir") - flags+=("--cluster=") - flags+=("--config=") - flags_with_completion+=("--config") - flags_completion+=("_filedir") - flags+=("--context=") - flags+=("--insecure-skip-tls-verify") - flags+=("--log-flush-frequency=") - flags+=("--loglevel=") - flags+=("--logspec=") - flags+=("--match-server-version") - flags+=("--namespace=") - two_word_flags+=("-n") - flags+=("--request-timeout=") - flags+=("--server=") - flags+=("--token=") - flags+=("--user=") - flags+=("--v=") - flags+=("--version") - flags+=("--vmodule=") - - must_have_one_flag=() - must_have_one_noun=() - noun_aliases=() -} - _oc_adm_policy_reconcile-sccs() { last_command="oc_adm_policy_reconcile-sccs" @@ -5574,6 +5426,8 @@ _oc_adm_policy_remove-cluster-role-from-group() local_nonpersistent_flags+=("--output=") flags+=("--output-version=") local_nonpersistent_flags+=("--output-version=") + flags+=("--rolebinding-name=") + local_nonpersistent_flags+=("--rolebinding-name=") flags+=("--show-all") flags+=("-a") local_nonpersistent_flags+=("--show-all") @@ -5644,6 +5498,8 @@ _oc_adm_policy_remove-cluster-role-from-user() local_nonpersistent_flags+=("--output=") flags+=("--output-version=") local_nonpersistent_flags+=("--output-version=") + flags+=("--rolebinding-name=") + local_nonpersistent_flags+=("--rolebinding-name=") flags+=("--serviceaccount=") two_word_flags+=("-z") local_nonpersistent_flags+=("--serviceaccount=") @@ -5774,6 +5630,8 @@ _oc_adm_policy_remove-role-from-group() local_nonpersistent_flags+=("--output-version=") flags+=("--role-namespace=") local_nonpersistent_flags+=("--role-namespace=") + flags+=("--rolebinding-name=") + local_nonpersistent_flags+=("--rolebinding-name=") flags+=("--show-all") flags+=("-a") local_nonpersistent_flags+=("--show-all") @@ -5846,6 +5704,8 @@ _oc_adm_policy_remove-role-from-user() local_nonpersistent_flags+=("--output-version=") flags+=("--role-namespace=") local_nonpersistent_flags+=("--role-namespace=") + flags+=("--rolebinding-name=") + local_nonpersistent_flags+=("--rolebinding-name=") flags+=("--serviceaccount=") two_word_flags+=("-z") local_nonpersistent_flags+=("--serviceaccount=") @@ -6357,8 +6217,6 @@ _oc_adm_policy() commands+=("add-role-to-user") commands+=("add-scc-to-group") commands+=("add-scc-to-user") - commands+=("reconcile-cluster-role-bindings") - commands+=("reconcile-cluster-roles") commands+=("reconcile-sccs") commands+=("remove-cluster-role-from-group") commands+=("remove-cluster-role-from-user") @@ -16071,92 +15929,6 @@ _oc_policy_add-role-to-user() noun_aliases=() } -_oc_policy_can-i() -{ - last_command="oc_policy_can-i" - commands=() - - flags=() - two_word_flags=() - local_nonpersistent_flags=() - flags_with_completion=() - flags_completion=() - - flags+=("--all-namespaces") - local_nonpersistent_flags+=("--all-namespaces") - flags+=("--allow-missing-template-keys") - local_nonpersistent_flags+=("--allow-missing-template-keys") - flags+=("--groups=") - local_nonpersistent_flags+=("--groups=") - flags+=("--ignore-scopes") - local_nonpersistent_flags+=("--ignore-scopes") - flags+=("--list") - local_nonpersistent_flags+=("--list") - flags+=("--no-headers") - local_nonpersistent_flags+=("--no-headers") - flags+=("--output=") - two_word_flags+=("-o") - local_nonpersistent_flags+=("--output=") - flags+=("--output-version=") - local_nonpersistent_flags+=("--output-version=") - flags+=("--quiet") - flags+=("-q") - local_nonpersistent_flags+=("--quiet") - flags+=("--scopes=") - local_nonpersistent_flags+=("--scopes=") - flags+=("--show-all") - flags+=("-a") - local_nonpersistent_flags+=("--show-all") - flags+=("--show-labels") - local_nonpersistent_flags+=("--show-labels") - flags+=("--sort-by=") - local_nonpersistent_flags+=("--sort-by=") - flags+=("--template=") - flags_with_completion+=("--template") - flags_completion+=("_filedir") - local_nonpersistent_flags+=("--template=") - flags+=("--user=") - local_nonpersistent_flags+=("--user=") - flags+=("--as=") - flags+=("--as-group=") - flags+=("--cache-dir=") - flags+=("--certificate-authority=") - flags_with_completion+=("--certificate-authority") - flags_completion+=("_filedir") - flags+=("--client-certificate=") - flags_with_completion+=("--client-certificate") - flags_completion+=("_filedir") - flags+=("--client-key=") - flags_with_completion+=("--client-key") - flags_completion+=("_filedir") - flags+=("--cluster=") - flags+=("--config=") - flags_with_completion+=("--config") - flags_completion+=("_filedir") - flags+=("--context=") - flags+=("--insecure-skip-tls-verify") - flags+=("--log-flush-frequency=") - flags+=("--loglevel=") - flags+=("--logspec=") - flags+=("--match-server-version") - flags+=("--namespace=") - flags_with_completion+=("--namespace") - flags_completion+=("__oc_get_namespaces") - two_word_flags+=("-n") - flags_with_completion+=("-n") - flags_completion+=("__oc_get_namespaces") - flags+=("--request-timeout=") - flags+=("--server=") - flags+=("--token=") - flags+=("--v=") - flags+=("--version") - flags+=("--vmodule=") - - must_have_one_flag=() - must_have_one_noun=() - noun_aliases=() -} - _oc_policy_remove-group() { last_command="oc_policy_remove-group" @@ -16240,6 +16012,8 @@ _oc_policy_remove-role-from-group() local_nonpersistent_flags+=("--output-version=") flags+=("--role-namespace=") local_nonpersistent_flags+=("--role-namespace=") + flags+=("--rolebinding-name=") + local_nonpersistent_flags+=("--rolebinding-name=") flags+=("--show-all") flags+=("-a") local_nonpersistent_flags+=("--show-all") @@ -16316,6 +16090,8 @@ _oc_policy_remove-role-from-user() local_nonpersistent_flags+=("--output-version=") flags+=("--role-namespace=") local_nonpersistent_flags+=("--role-namespace=") + flags+=("--rolebinding-name=") + local_nonpersistent_flags+=("--rolebinding-name=") flags+=("--serviceaccount=") two_word_flags+=("-z") local_nonpersistent_flags+=("--serviceaccount=") @@ -16700,7 +16476,6 @@ _oc_policy() commands=() commands+=("add-role-to-group") commands+=("add-role-to-user") - commands+=("can-i") commands+=("remove-group") commands+=("remove-role-from-group") commands+=("remove-role-from-user") diff --git a/contrib/completions/zsh/oc b/contrib/completions/zsh/oc index 5e50fa24f82b..cb1b06a64f3b 100644 --- a/contrib/completions/zsh/oc +++ b/contrib/completions/zsh/oc @@ -5472,154 +5472,6 @@ _oc_adm_policy_add-scc-to-user() noun_aliases=() } -_oc_adm_policy_reconcile-cluster-role-bindings() -{ - last_command="oc_adm_policy_reconcile-cluster-role-bindings" - commands=() - - flags=() - two_word_flags=() - local_nonpersistent_flags=() - flags_with_completion=() - flags_completion=() - - flags+=("--additive-only") - local_nonpersistent_flags+=("--additive-only") - flags+=("--allow-missing-template-keys") - local_nonpersistent_flags+=("--allow-missing-template-keys") - flags+=("--confirm") - local_nonpersistent_flags+=("--confirm") - flags+=("--exclude-groups=") - local_nonpersistent_flags+=("--exclude-groups=") - flags+=("--exclude-users=") - local_nonpersistent_flags+=("--exclude-users=") - flags+=("--no-headers") - local_nonpersistent_flags+=("--no-headers") - flags+=("--output=") - two_word_flags+=("-o") - local_nonpersistent_flags+=("--output=") - flags+=("--output-version=") - local_nonpersistent_flags+=("--output-version=") - flags+=("--show-all") - flags+=("-a") - local_nonpersistent_flags+=("--show-all") - flags+=("--show-labels") - local_nonpersistent_flags+=("--show-labels") - flags+=("--sort-by=") - local_nonpersistent_flags+=("--sort-by=") - flags+=("--template=") - flags_with_completion+=("--template") - flags_completion+=("_filedir") - local_nonpersistent_flags+=("--template=") - flags+=("--as=") - flags+=("--as-group=") - flags+=("--cache-dir=") - flags+=("--certificate-authority=") - flags_with_completion+=("--certificate-authority") - flags_completion+=("_filedir") - flags+=("--client-certificate=") - flags_with_completion+=("--client-certificate") - flags_completion+=("_filedir") - flags+=("--client-key=") - flags_with_completion+=("--client-key") - flags_completion+=("_filedir") - flags+=("--cluster=") - flags+=("--config=") - flags_with_completion+=("--config") - flags_completion+=("_filedir") - flags+=("--context=") - flags+=("--insecure-skip-tls-verify") - flags+=("--log-flush-frequency=") - flags+=("--loglevel=") - flags+=("--logspec=") - flags+=("--match-server-version") - flags+=("--namespace=") - two_word_flags+=("-n") - flags+=("--request-timeout=") - flags+=("--server=") - flags+=("--token=") - flags+=("--user=") - flags+=("--v=") - flags+=("--version") - flags+=("--vmodule=") - - must_have_one_flag=() - must_have_one_noun=() - noun_aliases=() -} - -_oc_adm_policy_reconcile-cluster-roles() -{ - last_command="oc_adm_policy_reconcile-cluster-roles" - commands=() - - flags=() - two_word_flags=() - local_nonpersistent_flags=() - flags_with_completion=() - flags_completion=() - - flags+=("--additive-only") - local_nonpersistent_flags+=("--additive-only") - flags+=("--allow-missing-template-keys") - local_nonpersistent_flags+=("--allow-missing-template-keys") - flags+=("--confirm") - local_nonpersistent_flags+=("--confirm") - flags+=("--no-headers") - local_nonpersistent_flags+=("--no-headers") - flags+=("--output=") - two_word_flags+=("-o") - local_nonpersistent_flags+=("--output=") - flags+=("--output-version=") - local_nonpersistent_flags+=("--output-version=") - flags+=("--show-all") - flags+=("-a") - local_nonpersistent_flags+=("--show-all") - flags+=("--show-labels") - local_nonpersistent_flags+=("--show-labels") - flags+=("--sort-by=") - local_nonpersistent_flags+=("--sort-by=") - flags+=("--template=") - flags_with_completion+=("--template") - flags_completion+=("_filedir") - local_nonpersistent_flags+=("--template=") - flags+=("--as=") - flags+=("--as-group=") - flags+=("--cache-dir=") - flags+=("--certificate-authority=") - flags_with_completion+=("--certificate-authority") - flags_completion+=("_filedir") - flags+=("--client-certificate=") - flags_with_completion+=("--client-certificate") - flags_completion+=("_filedir") - flags+=("--client-key=") - flags_with_completion+=("--client-key") - flags_completion+=("_filedir") - flags+=("--cluster=") - flags+=("--config=") - flags_with_completion+=("--config") - flags_completion+=("_filedir") - flags+=("--context=") - flags+=("--insecure-skip-tls-verify") - flags+=("--log-flush-frequency=") - flags+=("--loglevel=") - flags+=("--logspec=") - flags+=("--match-server-version") - flags+=("--namespace=") - two_word_flags+=("-n") - flags+=("--request-timeout=") - flags+=("--server=") - flags+=("--token=") - flags+=("--user=") - flags+=("--v=") - flags+=("--version") - flags+=("--vmodule=") - - must_have_one_flag=() - must_have_one_noun=() - noun_aliases=() -} - _oc_adm_policy_reconcile-sccs() { last_command="oc_adm_policy_reconcile-sccs" @@ -5716,6 +5568,8 @@ _oc_adm_policy_remove-cluster-role-from-group() local_nonpersistent_flags+=("--output=") flags+=("--output-version=") local_nonpersistent_flags+=("--output-version=") + flags+=("--rolebinding-name=") + local_nonpersistent_flags+=("--rolebinding-name=") flags+=("--show-all") flags+=("-a") local_nonpersistent_flags+=("--show-all") @@ -5786,6 +5640,8 @@ _oc_adm_policy_remove-cluster-role-from-user() local_nonpersistent_flags+=("--output=") flags+=("--output-version=") local_nonpersistent_flags+=("--output-version=") + flags+=("--rolebinding-name=") + local_nonpersistent_flags+=("--rolebinding-name=") flags+=("--serviceaccount=") two_word_flags+=("-z") local_nonpersistent_flags+=("--serviceaccount=") @@ -5916,6 +5772,8 @@ _oc_adm_policy_remove-role-from-group() local_nonpersistent_flags+=("--output-version=") flags+=("--role-namespace=") local_nonpersistent_flags+=("--role-namespace=") + flags+=("--rolebinding-name=") + local_nonpersistent_flags+=("--rolebinding-name=") flags+=("--show-all") flags+=("-a") local_nonpersistent_flags+=("--show-all") @@ -5988,6 +5846,8 @@ _oc_adm_policy_remove-role-from-user() local_nonpersistent_flags+=("--output-version=") flags+=("--role-namespace=") local_nonpersistent_flags+=("--role-namespace=") + flags+=("--rolebinding-name=") + local_nonpersistent_flags+=("--rolebinding-name=") flags+=("--serviceaccount=") two_word_flags+=("-z") local_nonpersistent_flags+=("--serviceaccount=") @@ -6499,8 +6359,6 @@ _oc_adm_policy() commands+=("add-role-to-user") commands+=("add-scc-to-group") commands+=("add-scc-to-user") - commands+=("reconcile-cluster-role-bindings") - commands+=("reconcile-cluster-roles") commands+=("reconcile-sccs") commands+=("remove-cluster-role-from-group") commands+=("remove-cluster-role-from-user") @@ -16213,92 +16071,6 @@ _oc_policy_add-role-to-user() noun_aliases=() } -_oc_policy_can-i() -{ - last_command="oc_policy_can-i" - commands=() - - flags=() - two_word_flags=() - local_nonpersistent_flags=() - flags_with_completion=() - flags_completion=() - - flags+=("--all-namespaces") - local_nonpersistent_flags+=("--all-namespaces") - flags+=("--allow-missing-template-keys") - local_nonpersistent_flags+=("--allow-missing-template-keys") - flags+=("--groups=") - local_nonpersistent_flags+=("--groups=") - flags+=("--ignore-scopes") - local_nonpersistent_flags+=("--ignore-scopes") - flags+=("--list") - local_nonpersistent_flags+=("--list") - flags+=("--no-headers") - local_nonpersistent_flags+=("--no-headers") - flags+=("--output=") - two_word_flags+=("-o") - local_nonpersistent_flags+=("--output=") - flags+=("--output-version=") - local_nonpersistent_flags+=("--output-version=") - flags+=("--quiet") - flags+=("-q") - local_nonpersistent_flags+=("--quiet") - flags+=("--scopes=") - local_nonpersistent_flags+=("--scopes=") - flags+=("--show-all") - flags+=("-a") - local_nonpersistent_flags+=("--show-all") - flags+=("--show-labels") - local_nonpersistent_flags+=("--show-labels") - flags+=("--sort-by=") - local_nonpersistent_flags+=("--sort-by=") - flags+=("--template=") - flags_with_completion+=("--template") - flags_completion+=("_filedir") - local_nonpersistent_flags+=("--template=") - flags+=("--user=") - local_nonpersistent_flags+=("--user=") - flags+=("--as=") - flags+=("--as-group=") - flags+=("--cache-dir=") - flags+=("--certificate-authority=") - flags_with_completion+=("--certificate-authority") - flags_completion+=("_filedir") - flags+=("--client-certificate=") - flags_with_completion+=("--client-certificate") - flags_completion+=("_filedir") - flags+=("--client-key=") - flags_with_completion+=("--client-key") - flags_completion+=("_filedir") - flags+=("--cluster=") - flags+=("--config=") - flags_with_completion+=("--config") - flags_completion+=("_filedir") - flags+=("--context=") - flags+=("--insecure-skip-tls-verify") - flags+=("--log-flush-frequency=") - flags+=("--loglevel=") - flags+=("--logspec=") - flags+=("--match-server-version") - flags+=("--namespace=") - flags_with_completion+=("--namespace") - flags_completion+=("__oc_get_namespaces") - two_word_flags+=("-n") - flags_with_completion+=("-n") - flags_completion+=("__oc_get_namespaces") - flags+=("--request-timeout=") - flags+=("--server=") - flags+=("--token=") - flags+=("--v=") - flags+=("--version") - flags+=("--vmodule=") - - must_have_one_flag=() - must_have_one_noun=() - noun_aliases=() -} - _oc_policy_remove-group() { last_command="oc_policy_remove-group" @@ -16382,6 +16154,8 @@ _oc_policy_remove-role-from-group() local_nonpersistent_flags+=("--output-version=") flags+=("--role-namespace=") local_nonpersistent_flags+=("--role-namespace=") + flags+=("--rolebinding-name=") + local_nonpersistent_flags+=("--rolebinding-name=") flags+=("--show-all") flags+=("-a") local_nonpersistent_flags+=("--show-all") @@ -16458,6 +16232,8 @@ _oc_policy_remove-role-from-user() local_nonpersistent_flags+=("--output-version=") flags+=("--role-namespace=") local_nonpersistent_flags+=("--role-namespace=") + flags+=("--rolebinding-name=") + local_nonpersistent_flags+=("--rolebinding-name=") flags+=("--serviceaccount=") two_word_flags+=("-z") local_nonpersistent_flags+=("--serviceaccount=") @@ -16842,7 +16618,6 @@ _oc_policy() commands=() commands+=("add-role-to-group") commands+=("add-role-to-user") - commands+=("can-i") commands+=("remove-group") commands+=("remove-role-from-group") commands+=("remove-role-from-user")