Add annotations to roles #11328
Add annotations to roles #11328
Conversation
| @@ -221,6 +237,10 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole { | |||
| { | |||
| ObjectMeta: kapi.ObjectMeta{ | |||
| Name: AdminRoleName, | |||
| Annotations: map[string]string{ | |||
| RoleDescription: "A project manager. If used in a local binding, an admin user will have rights to view any resource in the project and modify any resource in the project except for role creation and quota. If the cluster-admin wants to allow an admin to modify roles, the cluster-admin must create a project-scoped Policy object using JSON.", | |||
| RoleSomething: RoleSomethingVal, | |||
There was a problem hiding this comment.
This seems backwards. Since most people will be adding roles that they want users to use, why wouldn't we have an explicit opt-in for exclusion.
| RoleDisplayName = "openshift.io/display-name" | ||
|
|
||
| // RoleDescription is an annotation that holds the description of the role | ||
| RoleDescription = "openshift.io/description" |
There was a problem hiding this comment.
promote the description and display name to a shared package. These cross all api groups.
| @@ -494,6 +540,10 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole { | |||
| { | |||
| ObjectMeta: kapi.ObjectMeta{ | |||
| Name: DeployerRoleName, | |||
| Annotations: map[string]string{ | |||
| RoleDisplayName: "deployer", | |||
| RoleSomething: RoleSomethingVal, | |||
| @@ -458,6 +500,10 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole { | |||
| { | |||
| ObjectMeta: kapi.ObjectMeta{ | |||
| Name: ImageBuilderRoleName, | |||
| Annotations: map[string]string{ | |||
| RoleDisplayName: "image-builder", | |||
| RoleSomething: RoleSomethingVal, | |||
|
@deads2k I exposed those SA-ish roles because there was some talk about making SAs (which may then need these roles to do something). Based on info from @benjaminapetersen and some pruning I have narrowed the data to 8 roles:
The 7 roles with |
|
[test] |
|
We already have annotations for these and they are in the k8s.io namespace. On Oct 11, 2016, at 3:28 PM, David Eads [email protected] wrote: @deads2k commented on this pull request.In pkg/cmd/server/bootstrappolicy/policy.go
+const (
promote the description and display name to a shared package. These cross — |
|
We want to use |
I haven't actually seen these annotations upstream and my grep-fu can't find them. @smarterclayton can I get a pointer to them? |
|
why do we we want display names on roles? I don't think it's worth the confusion (and possible accidental granting of unintentional powers when a UI is involved) around whether you are dealing with a display name or the actual role name |
|
I was messing around with supporting these edge cases via: Both can exist, but it is confusing. Hopefully the descriptions are clear, but if no descriptions we have a problem. My personal preference would be that roles cannot have the same name as another role, whatever the scope, and don't both with display names. Is there a good reason to allow? |
|
it's impossible to enforce unique names in different scopes |
|
I would probably represent local roles as |
|
Ok great, I'll run with that. |
openshift-bot
added
needs-rebase
|
@openshift/api-review @enj So it's been requested we aim for getting these in for 3.5. It looks like we have a few outstanding questions that need answering at this point:
|
|
@jwforres fyi above comment |
seems like a good idea. if we add annotations to the default roles (for descriptions or a "hide-by-default" flag), we need to make role reconciliation annotation-aware. currently, it preserves all annotations from an existing role object... merging them will require thought.
For openshift objects, I would use the openshift annotation
agree |
|
@enj is this waiting on me for something? |
enj
force-pushed
the
enj/f/role_annotations/11268
branch
from
f65c297 to
1cecfd4
Compare
|
@enj / any who are interested, how about |
openshift-bot
removed
the
needs-rebase
|
@liggitt so Edit: NVM those get force updated. |
| @@ -0,0 +1,10 @@ | |||
| package constants | |||
There was a problem hiding this comment.
not sure we want a package for constants... annotation keys typically go in the API package directly
There was a problem hiding this comment.
I believe I did that to resolve a circular dependency (but that was a while ago).
| @@ -131,6 +131,9 @@ func init() { | |||
| authorizationapi.ClusterRole{ | |||
| ObjectMeta: kapi.ObjectMeta{ | |||
| Name: BuildControllerRoleName, | |||
There was a problem hiding this comment.
add these annotations in addServiceAccount? aren't all service account roles infra only?
| @@ -91,6 +99,10 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole { | |||
| { | |||
| ObjectMeta: kapi.ObjectMeta{ | |||
| Name: ClusterAdminRoleName, | |||
| Annotations: map[string]string{ | |||
| constants.OpenShiftDescription: "A super-user that can perform any action in any project. When granted to a user within a local policy, they have full control over quota and roles and every action on every resource in the project.", | |||
There was a problem hiding this comment.
"...can perform any action in the cluster."?
| @@ -231,6 +261,8 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole { | |||
| { | |||
| ObjectMeta: kapi.ObjectMeta{ | |||
| Name: AdminRoleName, | |||
| Annotations: map[string]string{ | |||
| constants.OpenShiftDescription: "A project manager. If used in a local binding, an admin user will have rights to view any resource in the project and modify any resource in the project except for role creation and quota. If the cluster-admin wants to allow an admin to modify roles, the cluster-admin must create a project-scoped Policy object using JSON."}, | |||
| @@ -344,6 +378,8 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole { | |||
| { | |||
| ObjectMeta: kapi.ObjectMeta{ | |||
| Name: ViewRoleName, | |||
| Annotations: map[string]string{ | |||
| constants.OpenShiftDescription: "A user who cannot make any modifications, but can see most objects in a project. They cannot view or modify roles or bindings."}, | |||
There was a problem hiding this comment.
call out that they can't see secrets
| @@ -393,6 +429,8 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole { | |||
| { | |||
| ObjectMeta: kapi.ObjectMeta{ | |||
| Name: BasicUserRoleName, | |||
| Annotations: map[string]string{ | |||
| constants.OpenShiftDescription: "A user that can get basic information about projects and users."}, | |||
There was a problem hiding this comment.
this allows listing projects and getting information about yourself, not users in general
| @@ -416,6 +457,10 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole { | |||
| { | |||
| ObjectMeta: kapi.ObjectMeta{ | |||
| Name: SelfProvisionerRoleName, | |||
| Annotations: map[string]string{ | |||
| constants.OpenShiftDescription: "A user that can create their own projects.", | |||
There was a problem hiding this comment.
they can't create their own, they can request projects
|
@liggitt All requested changes have been addressed. @jwforres / @benjaminapetersen Let me know if you guys have any comments on the |
| @@ -231,6 +261,8 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole { | |||
| { | |||
| ObjectMeta: kapi.ObjectMeta{ | |||
| Name: AdminRoleName, | |||
| Annotations: map[string]string{ | |||
| oapi.OpenShiftDescription: "A project manager. If used in a local binding, an admin user will have rights to view any resource in the project and modify any resource in the project except for role creation and quota. If the cluster-admin wants to allow an admin to modify roles, the cluster-admin must create a project-scoped Policy object."}, | |||
There was a problem hiding this comment.
I don't think we want these getting too technical, these descriptions are for end users deciding why they want to choose one role vs another. What if we simplify this whole thing down to:
"A user that has edit rights within the project and can change the project's membership."
Maybe contentious since membership is a console term?
There was a problem hiding this comment.
Eh I have heard of membership but I assume it means roles + bindings => policy?
| @@ -292,6 +324,8 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole { | |||
| { | |||
| ObjectMeta: kapi.ObjectMeta{ | |||
| Name: EditRoleName, | |||
| Annotations: map[string]string{ | |||
| oapi.OpenShiftDescription: "A user that can modify most objects in a project, but does not have the power to view or modify roles or bindings."}, | |||
There was a problem hiding this comment.
A user that can create and edit most objects in a project, but can not update the project's membership.
| @@ -344,6 +378,8 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole { | |||
| { | |||
| ObjectMeta: kapi.ObjectMeta{ | |||
| Name: ViewRoleName, | |||
| Annotations: map[string]string{ | |||
| oapi.OpenShiftDescription: "A user who cannot make any modifications, but can see most objects in a project. They cannot view or modify roles or bindings or secrets."}, | |||
There was a problem hiding this comment.
A user who can view but not edit any resources within the project. They can not view secrets.
There was a problem hiding this comment.
Isn't the role part important?
| @@ -393,6 +429,8 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole { | |||
| { | |||
| ObjectMeta: kapi.ObjectMeta{ | |||
| Name: BasicUserRoleName, | |||
| Annotations: map[string]string{ | |||
| oapi.OpenShiftDescription: "A user that can get basic information about projects."}, | |||
There was a problem hiding this comment.
what does this even mean? they can Get/List the project but not get any objects within the project?
There was a problem hiding this comment.
So we have to be vague enough that the description doesn't get too far out of sync since the specifics of rules will almost certainly change over time. Right now it means:
- Get info about yourself
- List
projectrequests - Get/List
clusterroles - List
storageclasses - List/Watch
projects
| @@ -91,6 +99,10 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole { | |||
| { | |||
| ObjectMeta: kapi.ObjectMeta{ | |||
| Name: ClusterAdminRoleName, | |||
| Annotations: map[string]string{ | |||
There was a problem hiding this comment.
instead of saying "granted to a user within a local policy" can you say "granted to a user on a project"
There was a problem hiding this comment.
Maybe "within a project"?
@jwforres I copied the descriptions verbatim from here and those were not listed (nor did I have any idea what to describe them as). Maybe @liggitt can provide some? @liggitt I need your input on @jwforres' suggestions so I can finalize the descriptions. |
Signed-off-by: Monis Khan <[email protected]>
enj
force-pushed
the
enj/f/role_annotations/11268
branch
from
6583b22 to
d89c5cd
Compare
|
@liggitt This is ready for merge. |
|
[merge] |
|
Evaluated for origin merge up to d89c5cd |
|
Evaluated for origin test up to d89c5cd |
|
@liggitt sanity check confirmed - reconciliation works as expected. |
|
continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/13002/) (Base Commit: cf4e84e) |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/13013/) (Base Commit: e4b43ee) (Image: devenv-rhel7_5718) |
…le-whitelist Automatic merge from submit-queue. Update membership filter to use MEMBERSHIP_WHITELIST in Constants.js Moving back to using a simple whitelist via [origin issue 16862](openshift/origin#16862) fixes [origin issue 16862](openshift/origin#16862) History: - issue #14411 - PR #14510, - PR #15241 - [PR 11328](openshift/origin#11328) (original) At this point ignoring the annotation `systemOnly` entirely. @jwforres @spadgett @enj
Fixes #11268
Added just the basic bits; now someone tell me what they want to call the annotation... (along with display names and descriptions)
Signed-off-by: Monis Khan [email protected]
cc @benjaminapetersen @jwforres @openshift/api-review