New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invalid default namespace name #15323
Comments
@nwalens Thanks for reporting it. It's an important issue we need to handle |
I can suggest such a solution for this use-case.
I think variant 1. is safer since we might use username in other places that require the same restrictions. WDYT @metlos @sleshchenko @slemeur @l0rd @sparkoo ? |
I'm technically ok with that, but I'm not sure we can allow limitation like that. What if company uses some incompatible format for employees usernames? Do we force them to treat Che deployment in different way to all their other internal services? |
I would say: If the companies want to use usernames as names of k8s objects, they should carefully think about username restrictions. |
I'm for option 2. and provide another placeholder for namespaces |
It has too many edge cases. I would try to avoid going this way. |
One other idea would be to store the value that should be used for @alexeykazakov, would this approach be workable for your case as well, given what you said in #15300 (comment) ? |
@metlos then it becomes a new feature. Not |
But how keycloak will get that compliant username? And how you can make sure that it's exactly the namespace which is expected to be used? As I mentioned in #15300 (comment) you can't really guarantee username -> namespace mapping inside Che. It could work if che creates these namespaces. But if Che is supposed to use the existing namespaces (like in Hosted Toolchain) then the namespace has to come from the cluster/operator admin/controller. I was thinking that the namespace to be used can be stored as an annotation in OpenShift User (or Identity) resource. And it should be set by the admin or, in case of Hosted Toolchain, by Toolchain operator during namespace provisioning. |
That's exactly what I had in mind. There would be an externally set attribute on the keycloak identity that we would use as an expansion for |
By Keycloak Identity you mean JWT token generated by Keycloak, right? But how it's supposed to be set in the token? I was thinking that a cluster admin (in case of Hosted Toolchain it will be toolchain operator) adds an annotation to OpenShift User (or Identity) resource. And this is attributed is picked up by Che. How Che get access to it is another question. If you don't want/can't get the OpenShift User/Identity resource directly from the cluster for some reason then theoretically you could pass that attribute through Keycloak User/Identity attribute and map it to some JST claim in the token. But I have no idea how you could make Keycloak to add such attribute to its Identity using the OpenShift User.meta.attributes["]. |
I am not that well versed in what information is passed around in the tokens, but I know that we read the the user object from Keycloak to establish e.g. their email address. Using the same call, I believe we can also obtain the free-form attributes that can be attached to the user in Keycloak. From there it's just a matter of propagating it throughout our call-chains, I believe. |
As far as I understand Keycloak gets email directly from the user. During the first login Che Keycloak asks me to provide my email. Then it's mapped by Keycloak to the token claim. |
Can we replaces illegal characters with -? |
It’s not that simple. What if there is already foo-bar-che user? |
Running into this too... When integrated with oAuth, I'm seeing my username default to IE:Here's the default experience: Eventually, you'll end up with this error and no way to work around it: However, if you change the username like so: Everything works fine: |
I've sent some thoughts to the mail list https://www.eclipse.org/lists/che-dev/msg03864.html. Please participate if you are interested |
I will try to summarize current situation to understand if we can close this issue: Currently a developer starts his first Che workspace and... If a namespace with labels and annotations described here exist, in particular with label Otherwise a new namespace will be created. A sanitized So, in both cases, even if @skabashnyuk on OpenShift with OAuth enabled, does @alexeykazakov this looks like the proper way to fix #17265, as soon as you will be able to annotate code namespaces we should switch to this mechanism. |
I'm not sure I fully understand the docs.. Please correct me if I'm wrong but you are saying that we can:
Is it correct? But what |
AFAIK we use Che username, so it won't work with OpenShift one.
We're using impersonated openshift client to create/delete the workspace objects, so user has to have the permissions to manage objects in the namespace. When we're creating the namespace from Che, User has admin permissions to the namespace as well. |
@sparkoo ok but the doc link I provided is in the section "Pre-creating namespaces for users". If the namespace is pre-created why does the Che user need admin role? Edit role should be enough. |
@l0rd you may be correct. I'm not sure if I've tested it with |
I'm not sure if it's changed in the latest Che but edit role was not enough because Che created Roles/RoleBindings in the workspace namespace and the edit role does not grant these permissions. |
Gotcha. Would it be possible to create those rolebindings as part of the namespace provisioning? |
If they are not "dynamic" and can be added as an OpenShift template to https://github.com/codeready-toolchain/host-operator/blob/master/deploy/templates/nstemplatetiers/basic/ns_code.yaml then yes, we can do that. |
@l0rd @alexeykazakov I've just tested it and I can confirm that
The backport PR of the precreated namespace feature is here #18471 If you're ok with it, I'll merge on Friday. The documentation is already there in 7.20.x and I have no idea why (#18471 (comment)). |
@alexeykazakov currently it is possible to use only che username to match prepared namespaces https://www.eclipse.org/che/docs/che-7/installation-guide/configuring-namespace-strategies/#_pre_creating_namespaces_for_users. We can add support for openshift username or openshift userid as well. Do you think that will fix your issue here? |
@alexeykazakov would adding |
@l0rd The
We would need to get that ^^^ working in our CRW instance before we can start using Also,.. how far away are we from dropping that redundant (from the UX point of view) Keycloak form completely? |
Correct
Correct
Sure, we are not there yet. I wanted to understand if we should plan to work on it or not. In the meantime you may start adding the label
That's a separate topic. We should probably have a call to discuss it. Anyway we do not have a plan for that yet. |
the username placeholder must be used in annotation, because label value has DNS character limitation https://www.eclipse.org/che/docs/che-7/installation-guide/configuring-namespace-strategies/#_pre_creating_namespaces_for_users |
@alexeykazakov @l0rd I've created issue for openshift-username #18500 |
@sparkoo what about Currently that endpoint requires Che username. We don't have it but it's not a problem when openshift username matches the che username. Will it be covered by #18500 ? |
feels like different issue to me |
Ok. But this would be a blocker for us. We can't start relying on the username annotation until OpenShift usernames a fully supported in /api/user?find too. |
@alexeykazakov the team has some difficulties to understand the complications you have and the directions you see to solve it. From what we know in the environment you have Potentially we want to remove the requirement with apiVersion: v1
items:
- apiVersion: user.openshift.io/v1
groups: null
identities:
- htpasswd_provider:opentlc-mgr
kind: User
metadata:
creationTimestamp: "2020-11-30T07:36:06Z"
name: opentlc-mgr <---------
resourceVersion: "153533"
selfLink: /apis/user.openshift.io/v1/users/opentlc-mgr
uid: 302108f9-7ae9-447d-8a8f-84a9a92b78a5
kind: List
metadata:
resourceVersion: ""
selfLink: "" If that is not suitable for you can you explain what user's information you have that you can put in namespace labels so later we can identify him on che server side. |
We are still affected by that issue until this read-only theme is available in CRW Addon.
It you drop that read-only theme and users can edit the username again then
We need |
I've talked today with @ibuziuk. We believe that you may rely on the fact that |
But we can't rely on it if you drop the read-only form and users are able to change the username. I thought this is what you were asking. If we can drop that form and rely on the username annotation instead. |
@alexeykazakov for sure we don't want to make your or any of our customer's life more complicated. I've just said that we "Potentially we want to remove the requirement with Kycloak UI theme" and that is only in case if that will not introduce new complications. I believe here we are mixing two problems together. That I'm not sure that it is reasonable to track in this in this concrete issue BTW. |
By default it seems that Che creates namespaces based on usernames which in turn means that the username has to comply with the DNS naming standards.
In my case, my username is like foo.bar and when I create a new workspace, Che tries to create an Openshift project named foo.bar-che which is not accepted by Openshift.
The text was updated successfully, but these errors were encountered: