return error when long-form sa name is used

Returns an error when the long-form name of a ServiceAccount is used with the --serviceaccount (-z) flag in `oc policy ...' commands.
openshift · Oct 26, 2017 · f94a3a5 · f94a3a5
1 parent e92d5c5
commit f94a3a5
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/pkg/oc/admin/policy/modify_roles.go b/pkg/oc/admin/policy/modify_roles.go
@@ -4,6 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"strings"
 
 	"github.com/spf13/cobra"
 
@@ -320,6 +321,13 @@ func (o *RoleModificationOptions) CompleteUserWithSA(f *clientcmd.Factory, cmd *
 		return errors.New("you must specify at least one user or service account")
 	}
 
+	// return an error if a fully-qualified service-account name is used
+	for _, sa := range saNames {
+		if strings.HasPrefix(sa, "system:serviceaccount") {
+			return errors.New("--serviceaccount (-z) should only be used with short-form serviceaccount names (e.g. \"default\")")
+		}
+	}
+
 	authorizationClient, err := f.OpenshiftInternalAuthorizationClient()
 	if err != nil {
 		return err