Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1354420 - [RFE] Creates APIs for groups sync/prune
Summary: [RFE] Creates APIs for groups sync/prune
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Auth
Version: 3.2.0
Hardware: All
OS: All
unspecified
medium
Target Milestone: ---
: ---
Assignee: Jordan Liggitt
QA Contact: weiwei jiang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-11 09:47 UTC by Kenjiro Nakayama
Modified: 2016-10-30 22:55 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-27 19:17:12 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1354397 None None None Never

Internal Links: 1354397

Description Kenjiro Nakayama 2016-07-11 09:47:48 UTC
1. Proposed title of this feature request

  [RFE] Creates APIs for groups sync/prune

3. What is the nature and description of the request?

  Users want to execute groups sync/prune with API

4. Why does the customer need this? (List the business requirements here)

  To sync/prune group, users have to execute oadm sync/prune by system:admin. Users want to group sync/prune via APIs

5. How would the customer like to achieve this? (List the functional requirements here)

  Users want Red Hat to create APIs and allow users to group sync/prune via the APIs.

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?

  No, as far as I checked.

10. List any affected packages or components.

  group sync/prune, auth

Comment 2 Jordan Liggitt 2016-07-11 13:56:56 UTC
The oadm command already uses APIs to accomplish all modifications to OpenShift objects, and can be run by any user with sufficient access (read/write access to the Groups API objects).

The oadm command requires the LDAP group sync config file, and OpenShift API credentials.

You can see the APIs being called by adding --loglevel=8 when running the oadm commands.

Can we close this as already implemented?

Comment 3 Kenjiro Nakayama 2016-07-11 14:09:06 UTC
Thank you Jordan.

Most probably I misunderstood it. But could you please tell me which API has been accessed? I attached the loglevel=10 with following command.

  # oadm groups sync --sync-config=.kube/config --loglevel=10

I know it got 404 error, but I thought it should output API URL, but I couldn't find it.

Comment 5 Kenjiro Nakayama 2016-07-11 14:12:13 UTC
> I know it got 404 error, but I thought it should output API URL, but I couldn't find it.

I mean between following API curl.

curl -k -v -XGET  -H "User-Agent: oadm/v3.1.1.6 (linux/amd64) openshift/80b61da" -H "Authorization: Bearer random" https://knakayam-ose31-smaster:8443/oapi

curl -k -v -XGET  -H "User-Agent: oadm/v3.1.1.6 (linux/amd64) openshift/80b61da" -H "Authorization: Bearer random" https://knakayam-ose31-smaster:8443/oapi/v1/groups/PMRDPTU

Comment 6 Jordan Liggitt 2016-07-11 14:13:41 UTC
It makes many calls to discover information about the server. That debug output shows all calls made.

Are you trying to determine the role a user should have in order to run this command?

Comment 7 Jordan Liggitt 2016-07-18 13:52:27 UTC
Any user with sufficient permissions can run the group sync command, which uses API calls to create/populate Group objects.

For example, as system:admin, give the cluster-admin role to another user:

# on the master API server
oc login -u system:admin
oadm policy add-cluster-role-to-user cluster-admin sally

# on another computer
oc login -u sally -p ...
oadm groups sync --sync-config=sync-config-file.yaml ...

Comment 8 Kenjiro Nakayama 2016-07-25 03:20:27 UTC
Sorry, for my late reply.

> It makes many calls to discover information about the server. That debug output shows all calls made.

I meant REST API call. If the users try to sync/prune groups, which API we should access?

This API is to create group, so, how can I call to sync groups?

  POST /v1/groups/<GROUPNAME>

https://docs.openshift.com/enterprise/latest/rest_api/openshift_v1.html#create-a-group

Comment 9 Jordan Liggitt 2016-07-25 03:40:51 UTC
I see. The group sync uses APIs to create/update groups, but is not exposed via an API. Any user with sufficient permissions can run the oadm group sync command. 

I don't anticipate exposing APIs specifically for LDAP group sync.

Is there a reason the existing command is insufficient? In the original RFE, the reason listed was "To sync/prune group, users have to execute oadm sync/prune by system:admin". That is not accurate, any user with sufficient permissions can run the oadm sync command

Comment 10 Kenjiro Nakayama 2016-07-25 03:45:43 UTC
Good point... I should do it first, I'm sorry. I will discuss with customer and come back later.


Note You need to log in before you can comment on or make changes to this bug.