Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1354397 - [RFE] oadm groups sync and oadm groups prune should be executed by token auth
Summary: [RFE] oadm groups sync and oadm groups prune should be executed by token auth
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Auth
Version: 3.2.0
Hardware: All
OS: All
unspecified
medium
Target Milestone: ---
: ---
Assignee: Jordan Liggitt
QA Contact: weiwei jiang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-11 08:54 UTC by Kenjiro Nakayama
Modified: 2016-10-30 22:53 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-18 13:51:39 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1354420 None None None Never

Internal Links: 1354420

Description Kenjiro Nakayama 2016-07-11 08:54:41 UTC
1. Proposed title of this feature request

  [RFE] oadm groups sync and oadm groups prune should be executed by token auth

3. What is the nature and description of the request?

  Users want to execute oadm groups sync/prune with token auth, like oadm prune.

4. Why does the customer need this? (List the business requirements here)

  Only system:admin executes oadm groups sync/prune, but it should also be run as general users with auth token.

5. How would the customer like to achieve this? (List the functional requirements here)

  Run oadm groups sync and oadm groups prune by token auth.

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?

  No, as far as I checked.

10. List any affected packages or components.

  oadm command especially, oadm groups sync/prune

Comment 2 Jordan Liggitt 2016-07-11 13:58:37 UTC
This is already possible. Ensure the authenticated user has sufficient access to read and write OpenShift Group objects, and has access to the LDAP group sync config file, and they will be able to run the oadm group sync commands

Comment 3 Kenjiro Nakayama 2016-07-11 14:17:50 UTC
> Ensure the authenticated user has sufficient access to read and write OpenShift Group objects,

I'm sorry, but could you please elaborate on this "sufficient access"?

As far as I tested, outside of system:admin, the commands below didn't work. We expect that any users run them with token.

  # oadm groups sync --sync-config={file} --token={token}
  # oadm groups prune --sync-config={file} --token={token}

What kind of the access rights were necessary?

Comment 4 Jordan Liggitt 2016-07-11 14:21:57 UTC
Read/write access to Group objects. Only the cluster-admin role allows access to those objects by default.

Can you include the result of running that command as another user?

Comment 5 Jordan Liggitt 2016-07-18 13:51:39 UTC
Any user with sufficient permissions can run group sync.

For example, as system:admin, give the cluster-admin role to another user:

# on the master API server
oc login -u system:admin
oadm policy add-cluster-role-to-user cluster-admin sally

# on another computer
oc login -u sally -p ...
oadm groups sync --sync-config=sync-config-file.yaml ...


Note You need to log in before you can comment on or make changes to this bug.