tighten authorization rules

[deads2k]

Removes cluster-admin rights from system:authenticated and system:unauthenticated.

[deads2k]

[test]

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_openshift3/1196/)

[deads2k]

@smarterclayton @liggitt fish or cut bait.

[deads2k]

2/3 on travis.

[smarterclayton]

So what README and documentation plans do you have changed so that once this happens every openshift user who tries it isn't broke?

[deads2k]

Currently, the readme has people using the cluster-admin id, so anyone following those steps continues to work. We already document how to add users to roles, those commands haven't changed.

Is there another sample besides sample-app that people are using?

I probably should write up documentation for openshift ex new-project so that people know they don't have to follow separate steps.

[liggitt]

Should update the help shown in the web UI when no projects exist to tell them to run new-project --admin <current user>

[deads2k]

Should update the help shown in the web UI when no projects exist to tell them to run new-project --admin

Ok. I guess I'll also craft something for the mailing list and maybe add instructions to set up a user capable of viewing default for the sample app

[derekwaynecarr]

Doesnt the sample app use 'test'?

[deads2k]

It uses both. default for the docker registry and test for the rest.

[deads2k]

@liggitt I updated the readme with a little more detail. Care to make sure it works for you?

[smarterclayton]

Not going to merge this until we cut another release image (v0.3.2)

[deads2k]

Rebased. Removed the readme updates since they were superceded by #1104 which can go in separately.

[smarterclayton]

Does everyone know this is coming and how to react?

[deads2k]

I'll send out a note now.

[deads2k]

Does everyone know this is coming and how to react?

Yes, everyone knows this is coming. Basic instructions were provided in an email and link to our more complete documentation was also provided. I also included information about gathering policy and bindings for bug reports (not that I think anything could possibly go wrong :) )

[liggitt]

just noticed the Jenkins example isn't using identity yet (there's a bug open for cert validation errors, but identity would hit it also). Wondering if we should wait until we have a good way to inject a kubeconfig as a secret.

[smarterclayton]

Up to Ben

On Feb 24, 2015, at 9:14 AM, Jordan Liggitt [email protected] wrote:

just noticed the Jenkins example isn't using identity yet (there's a bug open for cert validation errors, but identity would hit it also). Wondering if we should wait until we have a good way to inject a kubeconfig as a secret.

—
Reply to this email directly or view it on GitHub.

[deads2k]

@bparees see above.

[deads2k]

Bug https://bugzilla.redhat.com/show_bug.cgi?id=1196022 found.

Do not merge this until we get #1140

[bparees]

Not only do the jenkins setup steps need to be fixed to use identity, the jenkins job itself would need to have the certs (because it runs osc commands too) which it currently does not, so there's significant rework needed. (or use the --insecure flag, anyway, after doing an osc login or something).

I haven't had a lot of people asking me questions about the jenkins example so my guess is it's not getting a lot of attention, but it would be nice to keep it working.

[deads2k]

but it would be nice to keep it working.

It's currently broken, so it would be "make it work again".

[bparees]

@deads2k is that the sound of volunteering i hear?

[smarterclayton]

It's definitely something people are looking at. Let's create a maint card if it still needs work after David's change.

On Feb 25, 2015, at 7:25 AM, Ben Parees [email protected] wrote:

Not only do the jenkins setup steps need to be fixed to use identity, the jenkins job itself would need to have the certs (because it runs osc commands too) which it currently does not, so there's significant rework needed. (or use the --insecure flag, anyway, after doing an osc login or something).

I haven't had a lot of people asking me questions about the jenkins example so my guess is it's not getting a lot of attention, but it would be nice to keep it working.

—
Reply to this email directly or view it on GitHub.

[bparees]

I have a pr in progress to get it working again. That's where I hit the duplicate tag imagerepo issue.

Ben Parees | OpenShift

-----Original Message-----
From: Clayton Coleman [[email protected]]
Received: Thursday, 26 Feb 2015, 10:06
To: openshift/origin [[email protected]]
CC: Ben Parees [[email protected]]
Subject: Re: [origin] [DO NOT MERGE] tighten authorization rules (#1074)

It's definitely something people are looking at. Let's create a maint card if it still needs work after David's change.

On Feb 25, 2015, at 7:25 AM, Ben Parees [email protected] wrote:

Not only do the jenkins setup steps need to be fixed to use identity, the jenkins job itself would need to have the certs (because it runs osc commands too) which it currently does not, so there's significant rework needed. (or use the --insecure flag, anyway, after doing an osc login or something).

I haven't had a lot of people asking me questions about the jenkins example so my guess is it's not getting a lot of attention, but it would be nice to keep it working.

—
Reply to this email directly or view it on GitHub.

---

Reply to this email directly or view it on GitHub:
#1074 (comment)

[liggitt]

reminder to myself to make sure we have the jenkins example working with secrets before merging this

[brenton]

@deads2k, @bparees, @liggitt, Is this realistic for beta2 at this point? Some of the other things Erik is planning to demo need this.

[liggitt]

if we tighten this, the core path (master/node/registry/router) works, but other things like the Jenkins example will stop working until we can get identity info into it. We're planning to do that with secrets, but those won't be in origin until the rebase merges, and then there is some follow-up work to make creating a secret for Jenkins reasonable for an end-user.

tl;dr - this can go in now if we accept things like the Jenkins example breaking until we get secret support into origin.

[smarterclayton]

That's fine with me

On Mar 3, 2015, at 10:06 AM, Jordan Liggitt [email protected] wrote:

if we tighten this, the core path (master/node/registry/router) works, but other things like the Jenkins example will stop working until we can get identity info into it. We're planning to do that with secrets, but those won't be in origin until the rebase merges, and then there is some follow-up work to make creating a secret for Jenkins to use reasonable for an end-user.

tl;dr - this can go in now if we accept things like the Jenkins example breaking until we get secret support into origin.

—
Reply to this email directly or view it on GitHub.

[brenton]

I saw the menion about jenkins in the comment. The beta training isn't making use of jenkins right now so I think we'd be OK. @thoraxe (let us know if you have concerns)

[thoraxe]

I'm fine with Jenkins not working for beta2.

[liggitt]

pull the trigger! [merge]

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_openshift3/1093/) (Image: devenv-fedora_954)

[openshift-bot]

Evaluated for origin up to 65d868f