Separate build strategy permissions into distinct roles

[liggitt]

Resolves #8526 by making build strategy permissions individually grantable/revocable. Removes build strategy permissions from the admin and edit roles and adds three default roles, one for each build strategy.

As before, all users that can create builds are granted permission to use all
build strategies (Docker, Source-to-Image, and Custom).

Each build strategy has a corresponding build subresource and role. A user must have permission to create a build and permission to create on the build strategy subresource in order to create builds using that strategy. Default roles are provided which grant the create permission on the build strategy subresource.

Strategy	Subresource	Role
Docker	builds/docker	system:build-strategy-docker
Source-to-Image	builds/source	system:build-strategy-source
Custom	builds/custom	system:build-strategy-custom

[liggitt]

@csrwng @deads2k PTAL

I think I dislike this least of the options discussed in #8526 (comment)

[deads2k]

Post 1.2?

[deads2k]

shouldn't need update.

[liggitt]

removed

[deads2k]

I think I dislike this least of the options discussed in #8526 (comment)

Eh, less userfriendly in the end. Feels like the cheap way out to me.

[deads2k]

add something like "and its "safe" because system:authenticated is excluded from clusterrolebinding reconciliation by default."

[deads2k]

Minor comments, lgtm, but this release is supposed to be done.

@danmcp or @smarterclayton for approval.

[liggitt]

[test]

[csrwng]

LGTM

[smarterclayton]

Approved for 1.2 given the security impact if we reset it.

[smarterclayton]

hack/../test/cmd/policy.sh: line 48: os:cmd::expect_success: command not found
!!! Error in hack/../test/cmd/policy.sh:48
    'os:cmd::expect_success 'oadm policy remove-cluster-role-from-group system:build-strategy-custom system:authenticated'' exited with status 127
Call stack:
    1: hack/../test/cmd/policy.sh:48 main(...)
Exiting with status 1
!!! Error in hack/test-cmd.sh:300
    '${test}' exited with status 1
Call stack:
    1: hack/test-cmd.sh:300 main(...)
Exiting with status 1

[liggitt]

"image cache/mysql:pullthrough not found" flake

[liggitt]

[merge]

[smarterclayton]

This flake is worrying me in that we have no idea why it is happening.
@soltysh we need to track this down - what other debug can we add to
identify the failure?

[liggitt]

Image import flake:

FAILURE after 59.474s: test/cmd/newapp.sh:108: executing 'oc get imagestreamtags wildfly:latest' expecting success; re-trying every 0.2s until completion or 60.000s: the command timed out

[test]

[liggitt]

UI flake on test, image import flake on merge
[test][merge]

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_origin/5608/) (Image: devenv-rhel7_3984)

[liggitt]

TestTryOrdering flake, [test][merge]

[openshift-bot]

Evaluated for origin test up to 3ae0a8d

[openshift-bot]

Evaluated for origin merge up to 3ae0a8d

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/3032/)

[smarterclayton]

Fixed TestTryOrdering upstream in
kubernetes/kubernetes#24382

On Sat, Apr 16, 2016 at 11:00 AM, OpenShift Bot
[email protected] wrote:

Merged #8528.

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub