[kontinuity-dev-public] Creating a Project on Behalf of Users
Ricardo Martinelli de Oliveira
rmartine at redhat.com
Fri Apr 15 14:41:09 UTC 2016
David,
For Project request workflow I see no problems with it, but for application
creation (either from the s2i images and templates) is the main concern
from my viewpoint since the templates are in openshift project. I tried to
develop the app creation part and I had some problems with template
processing because hitting the template endpoint causes Permission issues.
Could you please explains how to do that?
On Fri, Apr 15, 2016 at 9:01 AM, David Eads <deads at redhat.com> wrote:
> We currently have an endpoint where a user can request a project:
> https://docs.openshift.org/latest/admin_guide/managing_projects.html#selfprovisioning-projects.
> It works by using this endpoint:
> https://docs.openshift.org/latest/rest_api/openshift_v1.html#create-a-projectrequest.
> If you have access (on by default), then the user is escalated and a
> project is created on their behalf by the system. The shape of the project
> is determined by the cluster-admin through the use of a template. If you
> try the client-side command with `--loglevel=8`, you can see the details of
> the request.
>
> I think that flow is what your issue is talking about. However, if you're
> interested in general impersonation there is a pull (
> https://github.com/openshift/origin/pull/8006) that adds a
> `Impersonate-User` header for requests. If that header is set to "bob",
> then the authenticated users is checked to see if they have rights to
> "impersonate" the "users" named "bob". If they are allowed, then the user
> context of the request is changed to "bob" and the request is checked.
> That gives perfect impersonation for the API server, but I think its
> unlikely that the users you're impersonating will be allowed to create
> projects directly.
>
> On Thu, Apr 14, 2016 at 8:36 PM, Andrew Lee Rubinger <alr at redhat.com>
> wrote:
>
>> Thanks!
>>
>> David, would you mind advising how we might go about handling $subject?
>>
>> S,
>> ALR
>>
>> On Thu, Apr 14, 2016 at 8:24 PM, Ben Parees <bparees at redhat.com> wrote:
>>
>>> Might be better to ask on the openshift dev list, but i'm told David
>>> Eads is working on this so you could ping him directly as well.
>>>
>>> Ben Parees | OpenShift
>>> On Apr 14, 2016 20:11, "Andrew Lee Rubinger" <alr at redhat.com> wrote:
>>>
>>>> So the Catapult project will be creating OpenShift projects for its
>>>> users.
>>>>
>>>> At the moment we're doing this by logging in *as* the user, but really
>>>> what we want to do is create projects *on behalf of* users.
>>>>
>>>> Clayton advises that we're unlikely to be granted cluster-admin rights
>>>> to OpenShift Online (or even in some dedicated instance we run), so perhaps
>>>> we need some other role that has permissions to create projects and a
>>>> rolebinding to the user in question.
>>>>
>>>> Associated Catapult issue is:
>>>>
>>>> https://github.com/redhat-kontinuity/catapult/issues/18
>>>>
>>>> Thoughts from the OpenShift team?
>>>>
>>>> S,
>>>> ALR
>>>>
>>>> _______________________________________________
>>>> kontinuity-dev-public mailing list
>>>> kontinuity-dev-public at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/kontinuity-dev-public
>>>>
>>>>
>>
>
> _______________________________________________
> kontinuity-dev-public mailing list
> kontinuity-dev-public at redhat.com
> https://www.redhat.com/mailman/listinfo/kontinuity-dev-public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/kontinuity-dev-public/attachments/20160415/1fdcff08/attachment.htm>
More information about the kontinuity-dev-public
mailing list