to fix bugzilla 1424946

Author: soltysh

pkg/cmd/admin/policy/subject_review.go

@@ -31,7 +31,7 @@ var (
 	`)
 	subjectReviewExamples = templates.Examples(`# Check whether user bob can create a pod specified in myresource.yaml
 	$ %[1]s -u bob -f myresource.yaml
-	
+
 	# Check whether user bob who belongs to projectAdmin group can create a pod specified in myresource.yaml
 	$ %[1]s -u bob -g projectAdmin -f myresource.yaml
 
@@ -85,12 +85,17 @@ func (o *sccSubjectReviewOptions) Complete(f *clientcmd.Factory, args []string,
 	if len(o.User) > 0 && len(o.serviceAccount) > 0 {
 		return fmt.Errorf("--user and --serviceaccount are mutually exclusive")
 	}
-	if strings.HasPrefix(o.serviceAccount, serviceaccount.ServiceAccountUsernamePrefix) {
-		_, user, err := serviceaccount.SplitUsername(o.serviceAccount)
-		if err != nil {
-			return err
+	if len(o.serviceAccount) > 0 { // check whether user supplied a list of SA
+		if len(strings.Split(o.serviceAccount, ",")) > 1 {
+			return fmt.Errorf("only one Service Account is supported")
+		}
+		if strings.HasPrefix(o.serviceAccount, serviceaccount.ServiceAccountUsernamePrefix) {
+			_, user, err := serviceaccount.SplitUsername(o.serviceAccount)
+			if err != nil {
+				return err
+			}
+			o.serviceAccount = user
 		}
-		o.serviceAccount = user
 	}
 	var err error
 	o.namespace, o.enforceNamespace, err = f.DefaultNamespace()

test/cmd/policy.sh

@@ -101,6 +101,8 @@ os::cmd::expect_success_and_text 'oc policy can-i --list --user harold --groups
 os::cmd::expect_failure 'oc policy scc-subject-review'
 os::cmd::expect_failure 'oc policy scc-review'
 os::cmd::expect_failure_and_text 'oc policy scc-subject-review -f ${OS_ROOT}/test/testdata/pspreview_unsupported_statefulset.yaml' 'error: StatefulSet "rd" with spec.volumeClaimTemplates currently not supported.'
+os::cmd::expect_failure_and_text 'oc policy scc-subject-review -z foo,bar -f ${OS_ROOT}/test/testdata/job.yaml'  'error: only one Service Account is supported'
+os::cmd::expect_failure_and_text 'oc policy scc-subject-review -z system:serviceaccount:test:default,system:serviceaccount:test:builder -f ${OS_ROOT}/test/testdata/job.yaml'  'error: only one Service Account is supported'
 os::cmd::expect_failure_and_text 'oc policy scc-review -f ${OS_ROOT}/test/testdata/pspreview_unsupported_statefulset.yaml' 'error: StatefulSet "rd" with spec.volumeClaimTemplates currently not supported.'
 os::cmd::expect_success_and_text 'oc policy scc-subject-review -f ${OS_ROOT}/test/testdata/job.yaml -o=jsonpath={.status.AllowedBy.name}' 'anyuid'
 os::cmd::expect_success_and_text 'oc policy scc-subject-review -f ${OS_ROOT}/test/testdata/redis-slave.yaml -o=jsonpath={.status.AllowedBy.name}' 'anyuid'