That helps. Thx David … appreciated your help
-- Srinivas Kotaru From: David Eads <[email protected]<mailto:[email protected]>> Date: Thursday, August 4, 2016 at 1:05 PM To: skotaru <[email protected]<mailto:[email protected]>> Cc: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: cluster-roles Just the API/swagger docs. If you do an `oc get clusterrole/admin -o yaml`, you'll have a good starting point for building your own role. On Thu, Aug 4, 2016 at 3:16 PM, Srinivas Naga Kotaru (skotaru) <[email protected]<mailto:[email protected]>> wrote: Got it . Thanks you sir Any quick documentation I can refer to create roles and add necessary permissions as we want? Am not sure how easy or difficult to create a custom role and add this role to robot. Keeping ‘admin’ role as a back up strategy? -- Srinivas Kotaru From: David Eads <[email protected]<mailto:[email protected]>> Date: Thursday, August 4, 2016 at 11:59 AM To: skotaru <[email protected]<mailto:[email protected]>> Cc: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: cluster-roles There is no pre-built role with precisely those permissions, you'd have to create your own role based on an existing one. You have to assign the "admin" role to the robot, otherwise he won't be able to add the requestor as a project-admin because it will fail an escalation check. On Thu, Aug 4, 2016 at 2:42 PM, Srinivas Naga Kotaru (skotaru) <[email protected]<mailto:[email protected]>> wrote: David Thanks for info. Am still not clear, are you saying to provide cluster “admin” role to robot account? My robot user/account should perform below jobs on all projects in the clusters 1. Create/modify/delete projects 2. Add/edit quota limits to projects ( cpu/memory etc) 3. Add users to projects on appropriate project roles ( admin/edit/view) Can u help to understand what cluster role I need to add to this robot user? So he has cluster wide limited admin access to perform above jobs. One immediate solution is to add cluster ‘admin’ but as you said we are little hesitated rather want to give exact roles roles required for his job. Your help is highly appreciated … -- Srinivas Kotaru From: David Eads <[email protected]<mailto:[email protected]>> Date: Thursday, August 4, 2016 at 11:31 AM To: skotaru <[email protected]<mailto:[email protected]>> Cc: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: cluster-roles I don't think I've have my robot use the `projectrequests` endpoint. Instead, I'd grant my robot the power to 1. Create projects 2. Update namespaces 3. Create resourcequotas, limitranges 4. Bind robot to "admin" Binding the robot to "admin" seems a little bit odd, but the rules for binding roles to subjects require that the the binder (robot in your case) have at least all the permissions of the roles its binding. This prevents a binder from escalating privileges by granting more power to the bindee. On Thu, Aug 4, 2016 at 2:04 PM, Srinivas Naga Kotaru (skotaru) <[email protected]<mailto:[email protected]>> wrote: Hi We want to disable default project creation by authenticated users and let it delegate to a user. All users should to go a central provision system and ask for project, project quota, and provided admin/edit/viewers members. Once project was created, quota’s were setup and add appropriate admin/edit and viewers, authenticated user can create apps themselves. Essentially we want to control initial project, quota , project members We don’t’ want to give cluster-admin and admin to this generic user being used by orchestration system and limit its capabilities by using OSE 3.x roles features. This is my understanding : oadm policy remove-cluster-role-from-group self-provisioner system:authenticated oadm policy add-cluster-role-to-user self-provisioner <robot user> Questions; What other roles needed by robot user to setup quotas on projects, add users to admin/edit and viewers to projects ?? oc describe clusterPolicyBindings :default command listing existing roles starting system-* but not sure which roles really required to perform above jobs. Can you help here? -- Srinivas Kotaru _______________________________________________ users mailing list [email protected]<mailto:[email protected]> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
