fix(auth): remove check restricting empty UID to handle kube:admin bootstrap user scenario#135
Merged
dkwon17 merged 2 commits intoJun 25, 2026
Conversation
SelfSubjectReview and the OpenShift User API return no UID for kube:admin, which is expected for the bootstrap admin. PR redhat-developer#134 rejected empty UIDs and broke web terminal auth on clusters where oc whoami is kube:admin. Restore pre-redhat-developer#134 semantics for empty UID while keeping SelfSubjectReview as the primary lookup for external authentication (WTO-399). Co-authored-by: Cursor <cursoragent@cursor.com> Signed-off-by: Rohan Kumar <rohaan@redhat.com>
kube:admin bootstrap user scenario
dkwon17
reviewed
Jun 25, 2026
Collaborator
There was a problem hiding this comment.
WDYT if we remove the empty UID string check in getCurrentUserUIDFromOpenShiftUserAPI, but keep it in getCurrentUserUIDFromSelfSubjectReview, but reorder the checks so that we call getCurrentUserUIDFromOpenShiftUserAPI first, and treat getCurrentUserUIDFromSelfSubjectReview as the fallback?
This way, this should fix the regression with kube:admin without completely ignoring the empty UID case?
Resolve kube:admin via the OpenShift User API first, allowing empty UID for bootstrap users, and fall back to SelfSubjectReview only when the User API is unavailable while rejecting empty UIDs on that path. Co-authored-by: Cursor <cursoragent@cursor.com>
dkwon17
approved these changes
Jun 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Fixes a regression introduced in #134 where web-terminal-exec rejects users with an empty Kubernetes UID, breaking web terminal auth for bootstrap
kube:adminon clusters whereoc whoamireturnskube:admin.#134 added
SelfSubjectReview(needed for WTO-399 / external auth), but also added:Before #134, we already allowed empty UIDs, the User API path simply returned string(userInfo.GetUID()) with no blank check, so "" was valid and "" == "" auth succeeded for kube:admin (see openshift/origin#24950).
After #134, the new checks fail auth before we reach that comparison.

This PR restores that behavior with two changes:
Reordered UID lookup — try the OpenShift User API first, then fall back to SelfSubjectReview only
when the User API is unavailable (e.g. BYO external authentication without user.openshift.io). This
matches pre-fix(auth): resolve user UID via SelfSubjectReview for external authentication #134 ordering and lets kube:admin resolve via the User API before hitting the stricter
fallback path.
Partial empty-UID check — allow an empty UID from the OpenShift User API (valid for kube:admin /
kubeadmin when AUTHENTICATED_USER_ID is also empty), but keep the empty-UID rejection on the
SelfSubjectReview fallback path so external-auth users without a UID still fail clearly rather than
silently authenticating.
What issues does this PR fix or reference?
fixes issue found during pre-release-testing,
kube:adminusers were unable to open terminalIs it tested? How?
Verified on aws clusterbot CI cluster (oc whoami =
kube:admin):SelfSubjectReview:
userInfo.username=kube:admin, no uid fieldUser API (~):
metadata.name=kube:admin, no metadata.uidBootstrap
kube:adminhas no Kubernetes UID.kube:admin