From 991a2a1776f68c7cd64324b53edb6ad9189c0822 Mon Sep 17 00:00:00 2001
From: Darren Shepherd <darren@rancher.com>
Date: Fri, 23 Jul 2021 23:45:13 -0700
Subject: [PATCH 1/2] Don't mask errors when doing by name lookups

---
 pkg/stores/partition/store.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/stores/partition/store.go b/pkg/stores/partition/store.go
index 1961423..547eec1 100644
--- a/pkg/stores/partition/store.go
+++ b/pkg/stores/partition/store.go
@@ -101,7 +101,7 @@ func (s *Store) List(apiOp *types.APIRequest, schema *types.APISchema) (types.AP
 
 	result.Revision = lister.Revision()
 	result.Continue = lister.Continue()
-	return result, nil
+	return result, lister.Err()
 }
 
 func (s *Store) Create(apiOp *types.APIRequest, schema *types.APISchema, data types.APIObject) (types.APIObject, error) {

From eba8358f2aa02d4c9afe07dbd9d21776666324db Mon Sep 17 00:00:00 2001
From: Darren Shepherd <darren@rancher.com>
Date: Fri, 23 Jul 2021 23:46:03 -0700
Subject: [PATCH 2/2] Fix issues when creating clusterrolebindings to
 namespaces objects

---
 pkg/accesscontrol/access_set.go | 25 ++++++++++++++++++++-----
 pkg/stores/proxy/proxy_store.go |  6 ++++++
 2 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/pkg/accesscontrol/access_set.go b/pkg/accesscontrol/access_set.go
index 7597cf7..2c2d2c5 100644
--- a/pkg/accesscontrol/access_set.go
+++ b/pkg/accesscontrol/access_set.go
@@ -144,20 +144,35 @@ func (a AccessListByVerb) Granted(verb string) (result map[string]Resources) {
 		verbs = append(verbs, "get")
 	}
 
-	for _, verb := range verbs {
-		for _, access := range a[verb] {
+	for _, access := range a[verb] {
+		resources := result[access.Namespace]
+		if access.ResourceName == All {
+			resources.All = true
+		} else {
+			if resources.Names == nil {
+				resources.Names = sets.String{}
+			}
+			resources.Names.Insert(access.ResourceName)
+		}
+		result[access.Namespace] = resources
+	}
+
+	if verb == "list" {
+		// look for objects referenced by get
+		for _, access := range a["get"] {
 			resources := result[access.Namespace]
 			if access.ResourceName == All {
-				resources.All = true
-			} else {
+				continue
+			} else if len(access.ResourceName) > 0 {
 				if resources.Names == nil {
 					resources.Names = sets.String{}
 				}
 				resources.Names.Insert(access.ResourceName)
+				result[access.Namespace] = resources
 			}
-			result[access.Namespace] = resources
 		}
 	}
+
 	return result
 }
 
diff --git a/pkg/stores/proxy/proxy_store.go b/pkg/stores/proxy/proxy_store.go
index 7862b06..8be0bb3 100644
--- a/pkg/stores/proxy/proxy_store.go
+++ b/pkg/stores/proxy/proxy_store.go
@@ -213,6 +213,12 @@ func tableToObjects(obj map[string]interface{}) []unstructured.Unstructured {
 }
 
 func (s *Store) ByNames(apiOp *types.APIRequest, schema *types.APISchema, names sets.String) (types.APIObjectList, error) {
+	if apiOp.Namespace == "*" {
+		// This happens when you grant namespaced objects with "get" by name in a clusterrolebinding. We will treat
+		// this as an invalid situation instead of listing all objects in the cluster and filtering by name.
+		return types.APIObjectList{}, nil
+	}
+
 	adminClient, err := s.clientGetter.TableAdminClient(apiOp, schema, apiOp.Namespace)
 	if err != nil {
 		return types.APIObjectList{}, err