[kontinuity-dev-public] Creating a Project on Behalf of Users
Ben Parees
bparees at redhat.com
Fri Apr 15 15:35:27 UTC 2016
you can also talk to jeff cantrill who implemented the flow for the eclipse
tooling.
On Fri, Apr 15, 2016 at 11:29 AM, Ricardo Martinelli de Oliveira <
rmartine at redhat.com> wrote:
> Ben,
>
> Yes, sorry for not mentioned that we already discussed this. To be honest,
> only step 2 was unclear to me and still is.
>
> I'll take a look again at the Fabric8 code to see how they are handling
> this and I'll send a reply to confirm if that helped or not.
>
>
>
> On Fri, Apr 15, 2016 at 12:23 PM, Ben Parees <bparees at redhat.com> wrote:
>
>>
>>
>> On Fri, Apr 15, 2016 at 10:41 AM, Ricardo Martinelli de Oliveira <
>> rmartine at redhat.com> wrote:
>>
>>> David,
>>>
>>> For Project request workflow I see no problems with it, but for
>>> application creation (either from the s2i images and templates) is the main
>>> concern from my viewpoint since the templates are in openshift project. I
>>> tried to develop the app creation part and I had some problems with
>>> template processing because hitting the template endpoint causes Permission
>>> issues.
>>>
>>> Could you please explains how to do that?
>>>
>>
>> I thought we discussed this on IRC, so i'm not sure what issue you're
>> having?
>>
>> Your client needs to:
>> 1) retrieve the template object from the openshift namespace (Everyone
>> has view access, not a problem)
>> 2) post the template (with parameter values if supplied by the user) to
>> the processedTemplates endpoint in the user's namespace
>> 3) you'll get back a processed template which is basically a list of api
>> objects
>> 4) your client needs to iteratively make a create api call on each api
>> object.
>>
>> we've implemented this flow 2-3 times (CLI, web console, eclipse tooling,
>> maybe fabric too), so there ought to be somewhere you can borrow it from.
>>
>>
>>
>>
>>>
>>> On Fri, Apr 15, 2016 at 9:01 AM, David Eads <deads at redhat.com> wrote:
>>>
>>>> We currently have an endpoint where a user can request a project:
>>>> https://docs.openshift.org/latest/admin_guide/managing_projects.html#selfprovisioning-projects.
>>>> It works by using this endpoint:
>>>> https://docs.openshift.org/latest/rest_api/openshift_v1.html#create-a-projectrequest.
>>>> If you have access (on by default), then the user is escalated and a
>>>> project is created on their behalf by the system. The shape of the project
>>>> is determined by the cluster-admin through the use of a template. If you
>>>> try the client-side command with `--loglevel=8`, you can see the details of
>>>> the request.
>>>>
>>>> I think that flow is what your issue is talking about. However, if
>>>> you're interested in general impersonation there is a pull (
>>>> https://github.com/openshift/origin/pull/8006) that adds a
>>>> `Impersonate-User` header for requests. If that header is set to "bob",
>>>> then the authenticated users is checked to see if they have rights to
>>>> "impersonate" the "users" named "bob". If they are allowed, then the user
>>>> context of the request is changed to "bob" and the request is checked.
>>>> That gives perfect impersonation for the API server, but I think its
>>>> unlikely that the users you're impersonating will be allowed to create
>>>> projects directly.
>>>>
>>>> On Thu, Apr 14, 2016 at 8:36 PM, Andrew Lee Rubinger <alr at redhat.com>
>>>> wrote:
>>>>
>>>>> Thanks!
>>>>>
>>>>> David, would you mind advising how we might go about handling $subject?
>>>>>
>>>>> S,
>>>>> ALR
>>>>>
>>>>> On Thu, Apr 14, 2016 at 8:24 PM, Ben Parees <bparees at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Might be better to ask on the openshift dev list, but i'm told David
>>>>>> Eads is working on this so you could ping him directly as well.
>>>>>>
>>>>>> Ben Parees | OpenShift
>>>>>> On Apr 14, 2016 20:11, "Andrew Lee Rubinger" <alr at redhat.com> wrote:
>>>>>>
>>>>>>> So the Catapult project will be creating OpenShift projects for its
>>>>>>> users.
>>>>>>>
>>>>>>> At the moment we're doing this by logging in *as* the user, but
>>>>>>> really what we want to do is create projects *on behalf of* users.
>>>>>>>
>>>>>>> Clayton advises that we're unlikely to be granted cluster-admin
>>>>>>> rights to OpenShift Online (or even in some dedicated instance we run), so
>>>>>>> perhaps we need some other role that has permissions to create projects and
>>>>>>> a rolebinding to the user in question.
>>>>>>>
>>>>>>> Associated Catapult issue is:
>>>>>>>
>>>>>>> https://github.com/redhat-kontinuity/catapult/issues/18
>>>>>>>
>>>>>>> Thoughts from the OpenShift team?
>>>>>>>
>>>>>>> S,
>>>>>>> ALR
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> kontinuity-dev-public mailing list
>>>>>>> kontinuity-dev-public at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/kontinuity-dev-public
>>>>>>>
>>>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> kontinuity-dev-public mailing list
>>>> kontinuity-dev-public at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/kontinuity-dev-public
>>>>
>>>>
>>>
>>> _______________________________________________
>>> kontinuity-dev-public mailing list
>>> kontinuity-dev-public at redhat.com
>>> https://www.redhat.com/mailman/listinfo/kontinuity-dev-public
>>>
>>>
>>
>>
>> --
>> Ben Parees | OpenShift
>>
>>
>
--
Ben Parees | OpenShift
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/kontinuity-dev-public/attachments/20160415/3f12139b/attachment.htm>
More information about the kontinuity-dev-public
mailing list