feat: Advanced authorization #1789
Conversation
Signed-off-by: Anatolii Bazko <[email protected]>
|
Skipping CI for Draft Pull Request. |
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #1789 +/- ##
==========================================
- Coverage 59.53% 59.46% -0.08%
==========================================
Files 71 71
Lines 8605 8703 +98
==========================================
+ Hits 5123 5175 +52
- Misses 3131 3172 +41
- Partials 351 356 +5 ☔ View full report in Codecov by Sentry. |
Signed-off-by: Anatolii Bazko <[email protected]>
Signed-off-by: Anatolii Bazko <[email protected]>
Signed-off-by: Anatolii Bazko <[email protected]>
Signed-off-by: Anatolii Bazko <[email protected]>
|
/retest |
Signed-off-by: Anatolii Bazko <[email protected]>
| - apiGroups: | ||
| - user.openshift.io | ||
| resources: | ||
| - groups | ||
| verbs: | ||
| - get |
There was a problem hiding this comment.
Just wondering -- does the Che Operator not use +kubebuilder:rbac markers to define controller permissions?
There was a problem hiding this comment.
We don't use annotations like this to define permissions.
| { | ||
| APIGroups: []string{""}, | ||
| Resources: []string{"serviceaccounts"}, | ||
| Verbs: []string{"get", "watch", "create"}, | ||
| }, | ||
| { | ||
| APIGroups: []string{"rbac.authorization.k8s.io"}, | ||
| Resources: []string{"roles"}, | ||
| Verbs: []string{"get", "create", "update"}, | ||
| }, | ||
| { | ||
| APIGroups: []string{"rbac.authorization.k8s.io"}, | ||
| Resources: []string{"rolebindings"}, | ||
| Verbs: []string{"get", "create", "update", "delete"}, | ||
| }, |
There was a problem hiding this comment.
I'm not sure I understand the three functions here any why they are separated; these all apply to the Che server SA, right?
There was a problem hiding this comment.
Operator delegates permissions to a che-server SA and the che-server SA delegates permissions to a user.
But some permissions are only needed for the che-server SA and not for the user.
That's we have separation for cluster roles: some permissions for the user and some permissions only for che-server SA. I hope I was clear.
There was a problem hiding this comment.
Maybe some permissions are redundant since moving to the Dev Workspace engine.
But I am not sure right now.
|
/retest |
You are right, it doesn't block any access to dashboard/gateway. |
|
@tolusha: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: amisevsk, ibuziuk, tolusha The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Build 3.11 :: operator_3.x/327: Console, Changes, Git Data |
|
Build 3.11 :: sync-to-downstream_3.x/5495: Console, Changes, Git Data |
|
Build 3.11 :: operator-bundle_3.x/2364: Console, Changes, Git Data |
|
Build 3.11 :: sync-to-downstream_3.x/5504: Console, Changes, Git Data |
|
Build 3.11 :: push-latest-container-to-quay_3.x/3866: Console, Changes, Git Data |
|
Build 3.11 :: copyIIBsToQuay/2258: Console, Changes, Git Data |
|
Build 3.11 :: sync-to-downstream_3.x/5504: Build container: devspaces-operator-bundle synced; /DS_CI/get-sources-rhpkg-container-build_3.x/5383 triggered; /job/DS_CI/job/dsc_3.x triggered; |
|
Build 3.11 :: operator-bundle_3.x/2364: Upstream sync done; /DS_CI/sync-to-downstream_3.x/5504 triggered |
|
Build 3.11 :: dsc_3.x/1630: Console, Changes, Git Data |
|
Build 3.11 :: dsc_3.x/1630: 3.11.0-CI |
|
Build 3.11 :: operator-bundle_3.x/2365: Console, Changes, Git Data |
|
Build 3.11 :: sync-to-downstream_3.x/5506: Console, Changes, Git Data |
|
Build 3.11 :: push-latest-container-to-quay_3.x/3868: Console, Changes, Git Data |
|
Build 3.11 :: copyIIBsToQuay/2259: Console, Changes, Git Data |
|
Build 3.11 :: sync-to-downstream_3.x/5506: Build container: devspaces-operator-bundle synced; /DS_CI/get-sources-rhpkg-container-build_3.x/5385 triggered; /job/DS_CI/job/dsc_3.x triggered; |
|
Build 3.11 :: operator-bundle_3.x/2365: Upstream sync done; /DS_CI/sync-to-downstream_3.x/5506 triggered |
|
Build 3.11 :: dsc_3.x/1631: Console, Changes, Git Data |
|
Build 3.11 :: dsc_3.x/1631: 3.11.0-CI |
|
Build 3.11 :: operator-bundle_3.x/2366: Console, Changes, Git Data |
|
Build 3.11 :: sync-to-downstream_3.x/5509: Console, Changes, Git Data |
|
Build 3.11 :: push-latest-container-to-quay_3.x/3870: Console, Changes, Git Data |
|
Build 3.11 :: copyIIBsToQuay/2260: Console, Changes, Git Data |
|
Build 3.11 :: sync-to-downstream_3.x/5509: Build container: devspaces-operator-bundle synced; /DS_CI/get-sources-rhpkg-container-build_3.x/5388 triggered; /job/DS_CI/job/dsc_3.x triggered; |
|
Build 3.11 :: operator-bundle_3.x/2366: Upstream sync done; /DS_CI/sync-to-downstream_3.x/5509 triggered |
|
Build 3.11 :: dsc_3.x/1632: Console, Changes, Git Data |
|
Build 3.11 :: dsc_3.x/1632: 3.11.0-CI |
What does this PR do?
feat: Advanced authorization
Screenshot/screencast of this PR
N/A
What issues does this PR fix or reference?
https://issues.redhat.com/browse/CRW-4805
How to test this PR?
OpenShift
on Minikube
./build/scripts/minikube-tests/test-operator-from-sources.sh --cr-patch-yaml /tmp/cr-patch.yaml kubectl patch checluster eclipse-che -n eclipse-che --type=merge -p='{"spec":{"networking":{"auth":{"advancedAuthorization":{"allowUsers":["user1", "user2"],"denyUsers":["user3", "user4","user5"]}}}}}'Users
user1anduser2are allowed to access Che.Users
user3,user4anduser5are disallowed to access ChePR Checklist
As the author of this Pull Request I made sure that:
What issues does this PR fix or referenceandHow to test this PRcompletedReviewers
Reviewers, please comment how you tested the PR when approving it.