[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: role bindings incorrect after ose 3.2.0 upgrade



It's fine to reconcile rolebindings like you did, as long as you are aware that can result in new default roles being granted to all users. That's what the --exclude-... bits are for - they let you choose to avoid automatically granting new roles to all users in case you want to inspect those more closely and decide if that something you want.

On Wed, Jun 1, 2016 at 4:19 PM, Dale Bewley <dale bewley net> wrote:
----- On Jun 1, 2016, at 10:01 AM, Jordan Liggitt <jliggitt redhat com> wrote:
No, the source build strategy permissions moved from the admin/edit roles into their own specific roles.

Automatic role reconciliation on upgrade should be additive only, which would have left the source build permissions previously defined in the admin/edit roles:
$ oadm policy reconcile-cluster-roles --additive- --confirm
Thanks for the response. Actually, I had already reconciled the cluster ROLES as above, but I still did not have permissions to do source builds.

I then (contrary to current docs) reconciled the cluster role BINDINGS like this:

$ oadm policy reconcile-cluster-role-bindings \
> --exclude-groups=system:unauthenticated \
> --exclude-users=system:anonymous \
> --additive- \
> --confirm
clusterrolebinding/self-provisioners
clusterrolebinding/system:build-strategy-docker-binding
clusterrolebinding/system:build-strategy-custom-binding
clusterrolebinding/system:build-strategy-source-binding

After that I can once again perform source builds.

My scratchpad






On Wed, Jun 1, 2016 at 12:16 PM, Dale Bewley <dale bewley net> wrote:

After upgrading to OSE 3.2.0 developers can no longer use the source build strategy.

I used the playbook to upgrade and now I'm trying to reconcile the policy role bindings per:

https://docs.openshift.com/enterprise/3.2/install_config/upgrading/manual_upgrades.html#updating-policy-definitions

Is it because the docs:

 $ oadm policy reconcile-cluster-role-bindings \
    --exclude-groups=system:authenticated \
    --exclude-groups=system:authenticated:oauth \
    --exclude-groups=system:unauthenticated \
    --exclude-users=system:anonymous \
    --additive- \
    --confirm

Should actually be:

 $ oadm policy reconcile-cluster-role-bindings \
    --exclude-groups=system:unauthenticated \
    --exclude-users=system:anonymous \
    --additive- \
    --confirm

_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]