-
Notifications
You must be signed in to change notification settings - Fork 463
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Customize Project Access Roles proposal #668
Add Customize Project Access Roles proposal #668
Conversation
/cc @christianvogt I can create a meeting for a realtime sync on this. :) |
... | ||
``` | ||
|
||
- [ ] Should allow the admin to link `Role` or `ClusterRole`? Should this support other namespaces then the current? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should support both Role
and ClusterRole
.
@spadgett what exactly did 3.11 support? I want to say that it was a single list that performed a lookup by name in both cluster roles and roles lists.
The namespace will be implied based on the project in which the rolebinding will be created.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@christianvogt check https://docs.openshift.com/container-platform/3.11/install_config/web_console_customization.html#changing-the-membership-whitelist which was done by loading extension scripts.
Based on the docs, we only supported ClusterRole.
|
||
Similar to [Customize Developer Catalog Categories](./catalog-categories.md) we extend the existing `operator.openshift.io/v1` / `Console` CRD. It provides already a `spec.customization` area where we can add a list of roles. | ||
|
||
The list of roles should link to `rbac.authorization.k8s.io/v1` / `Role` or `ClusterRole`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would limit this to ClusterRole
for now. I'm not sure it's a good idea to allow this to be configured for Role
since Roles
with the same names in different namespaces can have totally different permission. The cluster admin can't know what these will be when configuring the option. Also there is no way in the current UI to differentiate between Role
and ClusterRole
, so as a project admin you won't know exactly what permission you're granting.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can show "(R)" or "(CR)" icon in the dropdown, right?
But I think your right, ClusterRole is fine because the admin could not predict what project admins allow with their namespaced Role
s -- as you mentioned.
So I keep just a string of names at the moment. With the explicit name "...clusterRoles" we could also bring up another key if we want support multiple kinds in the future.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also noticed that the dropdown has Role
label and also the help-text above is linking to Role
docs. If we want to just support ClusterRole
for no we should make that clear, for both mentioned elements.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point, then we should also link directly to ClusterRoles and ClusterRoleBindings in the help text above the input. Sam, Christian, @serenamarie125 fine with that?
developerPerspective: | ||
projectAccessRoles: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not a fan of isolating the config under a developerPerspective
stanza just because I don't want isolate a feature to one perspective.
b156886
to
911912e
Compare
@christianvogt @spadgett Updated the doc again. Going with ClusterRoles only for now. The list are only strings now, if we want support other roles later we can also keep the kind and validate that the user uses only /cc @jhadvig @rottencandy And we have another issue with different ideas about the yaml property name. My initial approach was Sam recommended a Christian is against a separation for perspectives. Now we need a decision. I also can provide some other ideas: My current suggestion: spec:
customization:
brand: online
projectAdmin:
availableClusterRoles:
- admin
- edit
- view
... Wdyt? |
/uncc adambkaplan cooktheryan |
3b4f1c2
to
6c51188
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jerolimov thanks for all this, I've added couple of comments, looks really good 👍
Regarding the structuring of the consoleserver config. I would not necessarily go with customization. developerPerspective
since that field would also need to contain other fields that are DecConsole specific, like DeveloperCatalog
. But since we are not separating the perspectives from the beginning, I don't think we should start now, but rather stick to the approach we have.
From my understanding, the customised ClusterRoles
will be only visible in the DevPerspective -> Project Access page. For that reason I would suggest to use projectAccess
, instead of projectAdmin
field name:
apiVersion: operator.openshift.io/v1
kind: Console
metadata:
name: cluster
...
spec:
customization:
brand: online
projectAccess:
availableClusterRoles:
- admin
- edit
- view
We should also keep in mind that if in the future we decide to support also Roles
, we can just add another field which would also contain a specific namespace:
apiVersion: operator.openshift.io/v1
kind: Console
metadata:
name: cluster
...
spec:
customization:
brand: online
projectAccess:
availableClusterRoles:
- admin
- edit
- view
availableRoles:
namespace: foo
roles:
- ...
^^ I'm good with the suggestion. Went full circle on |
6c51188
to
1a89189
Compare
Thanks Jakub, I liked Doc updated. Anything else to-do here? 😏 |
This feature is very much required for Cisco. This is a kind of show stopper for our migration from 3.11 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jerolimov I think we should be good to merge this. @spadgett any additional comments?
1a89189
to
26b35fc
Compare
/lgtm |
26b35fc
to
358d902
Compare
As result of #668 (review) and our short discussed on slack, I just changed the annotation for the label to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jhadvig, spadgett The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Issues:
Epic: https://issues.redhat.com/browse/ODC-4650
Story: https://issues.redhat.com/browse/ODC-5394
Rendered preview: https://github.com/jerolimov/openshift-enhancements/blob/customize-project-roles/enhancements/console/customize-project-roles.md