[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: cluster-roles

Just the API/swagger docs. If you do an `oc get clusterrole/admin -o yaml`, you'll have a good starting point for building your own role.

On Thu, Aug 4, 2016 at 3:16 PM, Srinivas Naga Kotaru (skotaru) <skotaru cisco com> wrote:
Got it . Thanks you sir

Any quick documentation I can refer to create roles and add necessary permissions as we want? Am not sure how easy or difficult to create a custom role and add this role to robot.

Keeping ‘admin’ role as a back up strategy? 

Srinivas Kotaru

From: David Eads <deads redhat com>
Date: Thursday, August 4, 2016 at 11:59 AM

There is no pre-built role with precisely those permissions, you'd have to create your own role based on an existing one.

You have to assign the "admin" role to the robot, otherwise he won't be able to add the requestor as a project-admin because it will fail an escalation check.

On Thu, Aug 4, 2016 at 2:42 PM, Srinivas Naga Kotaru (skotaru) <skotaru cisco com> wrote:

Thanks for info. Am still not clear, are you saying to provide cluster “admin” role to robot account? My robot user/account should perform below jobs on all projects in the clusters

  1. Create/modify/delete projects
  2. Add/edit quota limits to projects ( cpu/memory etc)
  3. Add users to projects on appropriate project roles ( admin/edit/view)
Can u help to understand what cluster role I need to add to this robot user? So he has cluster wide limited admin access to perform above jobs. One immediate solution is to add cluster ‘admin’ but as you said we are little hesitated rather want to give exact roles roles required for his job.

Your help is highly appreciated …

Srinivas Kotaru

From: David Eads <deads redhat com>
Date: Thursday, August 4, 2016 at 11:31 AM
To: skotaru <skotaru cisco com>
Cc: "users lists openshift redhat com" <users lists openshift redhat com>
Subject: Re: cluster-roles

I don't think I've have my robot use the `projectrequests` endpoint.  Instead, I'd grant my robot the power to
  1. Create projects
  2. Update namespaces
  3. Create resourcequotas, limitranges
  4. Bind robot to "admin"
Binding the robot to "admin" seems a little bit odd, but the rules for binding roles to subjects require that the the binder (robot in your case) have at least all the permissions of the roles its binding.  This prevents a binder from escalating privileges by granting more power to the bindee.

On Thu, Aug 4, 2016 at 2:04 PM, Srinivas Naga Kotaru (skotaru) <skotaru cisco com> wrote:

We want to disable default project creation by authenticated users and let it delegate to a user. All users should to go a central provision system and ask for project, project quota, and provided admin/edit/viewers members. Once project was created, quota’s were setup and add appropriate admin/edit and viewers, authenticated user can create apps themselves. Essentially we want to control initial project, quota , project members

We don’t’ want to give cluster-admin and admin to this generic user being used by orchestration system and limit its capabilities by using OSE 3.x roles features.

This is my understanding :

oadm policy remove-cluster-role-from-group self-provisioner system:authenticated 
oadm policy add-cluster-role-to-user self-provisioner <robot user>
What other roles needed by robot user to setup quotas on projects, add users to admin/edit and viewers to projects ??
oc describe clusterPolicyBindings :default command listing existing roles starting system-* but not sure which roles really required to perform above jobs.
Can you help here?

Srinivas Kotaru

users mailing list
users lists openshift redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]