Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some system roles missing authorization.openshift.io/system-only annotation #16862

Closed
spadgett opened this issue Oct 13, 2017 · 11 comments · Fixed by openshift/origin-web-console#2402
Closed

Some system roles missing authorization.openshift.io/system-only annotation #16862

spadgett opened this issue Oct 13, 2017 · 11 comments · Fixed by openshift/origin-web-console#2402
Assignees
@benjaminapetersen
Labels
component/web kind/bug Categorizes issue or PR as related to a bug. priority/P2

Comments

@spadgett
Copy link
Member

Some roles are showing up in the web console membership page that probably shouldn't because they're missing the authorization.openshift.io/system-only annotation. See

openshift web console 2017-10-13 12-08-42

service-catalog-controller shouldn't be there and maybe some others. The console will hide roles with that annotation unless a "Show system roles" checkbox is checked.

cc @benjaminapetersen @enj @pmorie

Version

oc v3.7.0-alpha.1+572fb85-1047
kubernetes v1.7.6+a08f5eeb62
features: Basic-Auth

Server https://127.0.0.1:8443
openshift v3.7.0-alpha.1+572fb85-1047
kubernetes v1.7.6+a08f5eeb62
@enj
Copy link
Contributor

enj commented Oct 13, 2017

Sounds like the roles in examples/service-catalog/service-catalog.yaml need to be updated to have the annotation.

@benjaminapetersen
Copy link
Contributor

I think this made sense back when we first introduced it, but it seems like there are too many parties adding roles now to keep up. It might make sense to go back to a whitelist of roles in the config file of the console (or we just hard-code it in the membership module), and allow role authors to add an annotation to userFacing: true to add to this whitelist.

@liggitt
Copy link
Contributor

liggitt commented Oct 17, 2017

+1 for whitelist. you will never get all role creators to annotate.

@benjaminapetersen
Copy link
Contributor

Back to where we started :)

@benjaminapetersen benjaminapetersen mentioned this issue Oct 17, 2017
Closed
@jwforres
Copy link
Member

should we be whitelisting on the roles using an annotation, or whitelisting in the console using an extension with sane defaults

@benjaminapetersen
Copy link
Contributor

Perhaps just a list in config.js?

@pweil- pweil- added component/web kind/bug Categorizes issue or PR as related to a bug. priority/P2 labels Oct 18, 2017
@jwforres
Copy link
Member

@benjaminapetersen wouldn't be in config.js, it would be in constants.js if we do it in the console code. I'm fine with going back to that. Just means @enj needs to let us know when there is a new default role that makes sense to expose to users. I expect this will not be often...

@benjaminapetersen
Copy link
Contributor

Sorry, meant constants.js, yup!

@spadgett
Copy link
Member Author

Looks like sar-creator and namespace-viewer are also coming from the service-catalog template, too.

@benjaminapetersen
Copy link
Contributor

History:

@benjaminapetersen benjaminapetersen mentioned this issue Oct 30, 2017
Merged
openshift-merge-robot added a commit to openshift/origin-web-console that referenced this issue Oct 30, 2017
@openshift-merge-robot
Merge pull request #2402 from benjaminapetersen/issue/16862/origin/ro…
8a67e93 
…le-whitelist

Automatic merge from submit-queue.

Update membership filter to use MEMBERSHIP_WHITELIST in Constants.js

Moving back to using a simple whitelist via [origin issue 16862](openshift/origin#16862)

fixes [origin issue 16862](openshift/origin#16862)

History:
- issue #14411 
- PR #14510, 
- PR #15241
- [PR 11328](openshift/origin#11328) (original)

At this point ignoring the annotation `systemOnly` entirely.

@jwforres @spadgett @enj
@enj
Copy link
Contributor

enj commented Oct 31, 2017

@benjaminapetersen please open an origin PR for 3.8 to gut all the system-only stuff.

@jewzaam jewzaam mentioned this issue Mar 19, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@benjaminapetersen benjaminapetersen

Labels
component/web kind/bug Categorizes issue or PR as related to a bug. priority/P2
Projects
None yet
Milestone
No milestone
6 participants
@benjaminapetersen @liggitt @spadgett @jwforres @pweil- @enj