[kontinuity-dev-public] Creating a Project on Behalf of Users

Jeff Cantrill jcantril at redhat.com
Fri Apr 15 16:42:49 UTC 2016 

On Fri, Apr 15, 2016 at 11:35 AM, Ben Parees <bparees at redhat.com> wrote:

> you can also talk to jeff cantrill who implemented the flow for the
> eclipse tooling.
>
>
The openshift-restclient-java and subsequently JBosstools  processes
templates using this class:
https://github.com/openshift/openshift-restclient-java/blob/master/src/main/java/com/openshift/internal/restclient/capability/server/ServerTemplateProcessing.java#L50

consumed here:

https://github.com/jbosstools/jbosstools-openshift/blob/master/plugins/org.jboss.tools.openshift.ui/src/org/jboss/tools/openshift/internal/ui/job/CreateApplicationFromTemplateJob.java#L58


>
> On Fri, Apr 15, 2016 at 11:29 AM, Ricardo Martinelli de Oliveira <
> rmartine at redhat.com> wrote:
>
>> Ben,
>>
>> Yes, sorry for not mentioned that we already discussed this. To be
>> honest, only step 2 was unclear to me and still is.
>>
>> I'll take a look again at the Fabric8 code to see how they are handling
>> this and I'll send a reply to confirm if that helped or not.
>>
>>
>>
>> On Fri, Apr 15, 2016 at 12:23 PM, Ben Parees <bparees at redhat.com> wrote:
>>
>>>
>>>
>>> On Fri, Apr 15, 2016 at 10:41 AM, Ricardo Martinelli de Oliveira <
>>> rmartine at redhat.com> wrote:
>>>
>>>> David,
>>>>
>>>> For Project request workflow I see no problems with it, but for
>>>> application creation (either from the s2i images and templates) is the main
>>>> concern from my viewpoint since the templates are in openshift project. I
>>>> tried to develop the app creation part and I had some problems with
>>>> template processing because hitting the template endpoint causes Permission
>>>> issues.
>>>>
>>>> Could you please explains how to do that?
>>>>
>>>
>>> ​I thought we discussed this on IRC, so i'm not sure what issue you're
>>> having?
>>>
>>> Your client needs to:
>>> 1) retrieve the template object from the openshift namespace (Everyone
>>> has view access, not a problem)
>>> 2) post the template (with parameter values if supplied by the user) to
>>> the processedTemplates endpoint in the user's namespace
>>> 3) you'll get back a processed template which is basically a list of api
>>> objects
>>> 4) your client needs to iteratively make a create api call on each api
>>> object.
>>>
>>> we've implemented this flow 2-3 times (CLI, web console, eclipse
>>> tooling, maybe fabric too), so there ought to be somewhere you can borrow
>>> it from.
>>>>>>
>>>
>>>
>>>>
>>>> On Fri, Apr 15, 2016 at 9:01 AM, David Eads <deads at redhat.com> wrote:
>>>>
>>>>> We currently have an endpoint where a user can request a project:
>>>>> https://docs.openshift.org/latest/admin_guide/managing_projects.html#selfprovisioning-projects.
>>>>> It works by using this endpoint:
>>>>> https://docs.openshift.org/latest/rest_api/openshift_v1.html#create-a-projectrequest.
>>>>> If you have access (on by default), then the user is escalated and a
>>>>> project is created on their behalf by the system.  The shape of the project
>>>>> is determined by the cluster-admin through the use of a template.  If you
>>>>> try the client-side command with `--loglevel=8`, you can see the details of
>>>>> the request.
>>>>>
>>>>> I think that flow is what your issue is talking about.  However, if
>>>>> you're interested in general impersonation there is a pull (
>>>>> https://github.com/openshift/origin/pull/8006) that adds a
>>>>> `Impersonate-User` header for requests.  If that header is set to "bob",
>>>>> then the authenticated users is checked to see if they have rights to
>>>>> "impersonate" the "users" named "bob".  If they are allowed, then the user
>>>>> context of the request is changed to "bob" and the request is checked.
>>>>> That gives perfect impersonation for the API server, but I think its
>>>>> unlikely that the users you're impersonating will be allowed to create
>>>>> projects directly.
>>>>>
>>>>> On Thu, Apr 14, 2016 at 8:36 PM, Andrew Lee Rubinger <alr at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>> David, would you mind advising how we might go about handling
>>>>>> $subject?
>>>>>>
>>>>>> S,
>>>>>> ALR
>>>>>>
>>>>>> On Thu, Apr 14, 2016 at 8:24 PM, Ben Parees <bparees at redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Might be better to ask on the openshift dev list, but i'm told David
>>>>>>> Eads is working on this so you could ping him directly as well.
>>>>>>>
>>>>>>> Ben Parees | OpenShift
>>>>>>> On Apr 14, 2016 20:11, "Andrew Lee Rubinger" <alr at redhat.com> wrote:
>>>>>>>
>>>>>>>> So the Catapult project will be creating OpenShift projects for its
>>>>>>>> users.
>>>>>>>>
>>>>>>>> At the moment we're doing this by logging in *as* the user, but
>>>>>>>> really what we want to do is create projects *on behalf of* users.
>>>>>>>>
>>>>>>>> Clayton advises that we're unlikely to be granted cluster-admin
>>>>>>>> rights to OpenShift Online (or even in some dedicated instance we run), so
>>>>>>>> perhaps we need some other role that has permissions to create projects and
>>>>>>>> a rolebinding to the user in question.
>>>>>>>>
>>>>>>>> Associated Catapult issue is:
>>>>>>>>
>>>>>>>>   https://github.com/redhat-kontinuity/catapult/issues/18
>>>>>>>>
>>>>>>>> Thoughts from the OpenShift team?
>>>>>>>>
>>>>>>>> S,
>>>>>>>> ALR
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> kontinuity-dev-public mailing list
>>>>>>>> kontinuity-dev-public at redhat.com
>>>>>>>> https://www.redhat.com/mailman/listinfo/kontinuity-dev-public
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> kontinuity-dev-public mailing list
>>>>> kontinuity-dev-public at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/kontinuity-dev-public
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> kontinuity-dev-public mailing list
>>>> kontinuity-dev-public at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/kontinuity-dev-public
>>>>
>>>>
>>>
>>>
>>> --
>>> Ben Parees | OpenShift
>>>
>>>
>>
>
>
> --
> Ben Parees | OpenShift
>
>


-- 
--
Jeff Cantrill
Senior Software Engineer, Red Hat Engineering
OpenShift Integration Services
Red Hat, Inc.
*Office*: 703-748-4420 | 866-546-8970 ext. 8162420
jcantril at redhat.com
http://www.redhat.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/kontinuity-dev-public/attachments/20160415/e1b6de50/attachment.htm>

More information about the kontinuity-dev-public mailing list