This repository has been archived by the owner on Jun 5, 2023. It is now read-only.
Add Documentation to Install and Configure Non-Org Root #2039
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
red2k18
reviewed
Sep 25, 2018
| But, you also have the option to run Forseti even if you only own a subset | ||
| of resources, such as a specific folder, or projects that are directly under | ||
| the organization. Inventory and Scanner will be supported for use on these | ||
| subset of resources, but Explain will not be supported. |
There was a problem hiding this comment.
What about data model? probably would me worth mentioning if raw data will be converted to structured data when organization is a folder or projects.
joecheuk
reviewed
Sep 25, 2018
| this. | ||
| 1. If you want Forseti to run from a folder, edit `forseti_conf_server.yaml` | ||
| and point the `root_resource_id` to the target folder: | ||
| `folders/<foo_folder_id>`. Grant the Forseti server service account to have |
There was a problem hiding this comment.
Without manually assigning roles on a folder level to the service account, does it work with the default org level roles/permissions (inheritance)?
There was a problem hiding this comment.
Done, clarified this by organizing the doc.
| the same roles on the target folder, as was [originally granted on the | ||
| organization]({% link _docs/latest/concepts/service-accounts.md %}). | ||
| 1. If you want Forseti to run on projects that you own, leave the | ||
| `root_resource_id` pointed to the organization. Grant project |
There was a problem hiding this comment.
If the user who ran the installation has org admin access, this will scan for all the projects?
There was a problem hiding this comment.
Good point, clarified this.
| viewer role to the Forseti server service account, on these specific | ||
| projects. | ||
| 1. Save the changes to `forseti_conf_server.yaml` file. | ||
| 1. Save `forseti_conf_server.yaml` to GCS bucket. |
There was a problem hiding this comment.
User also needs to pull down the changes on the VM (or via the cronjob), we have the process documented here: https://forsetisecurity.org/docs/latest/configure/general/index.html#moving-configuration-to-cloud-storage
blueandgold
commented
Sep 25, 2018
| But, you also have the option to run Forseti even if you only own a subset | ||
| of resources, such as a specific folder, or projects that are directly under | ||
| the organization. Inventory and Scanner will be supported for use on these | ||
| subset of resources, but Explain will not be supported. |
| this. | ||
| 1. If you want Forseti to run from a folder, edit `forseti_conf_server.yaml` | ||
| and point the `root_resource_id` to the target folder: | ||
| `folders/<foo_folder_id>`. Grant the Forseti server service account to have |
There was a problem hiding this comment.
Done, clarified this by organizing the doc.
| the same roles on the target folder, as was [originally granted on the | ||
| organization]({% link _docs/latest/concepts/service-accounts.md %}). | ||
| 1. If you want Forseti to run on projects that you own, leave the | ||
| `root_resource_id` pointed to the organization. Grant project |
There was a problem hiding this comment.
Good point, clarified this.
| viewer role to the Forseti server service account, on these specific | ||
| projects. | ||
| 1. Save the changes to `forseti_conf_server.yaml` file. | ||
| 1. Save `forseti_conf_server.yaml` to GCS bucket. |
red2k18
approved these changes
Sep 25, 2018
joecheuk
approved these changes
Sep 26, 2018
|
|
||
| ## Saving Changes | ||
| 1. Save the changes to `forseti_conf_server.yaml` file. | ||
| 1. Save `forseti_conf_server.yaml` [to GCS bucket]({% link _docs/latest/configure/general/index.md %}#moving-configuration-to-cloud-storage). |
There was a problem hiding this comment.
Maybe upload is a better word here?
| 1. Save the changes to `forseti_conf_server.yaml` file. | ||
| 1. Save `forseti_conf_server.yaml` [to GCS bucket]({% link _docs/latest/configure/general/index.md %}#moving-configuration-to-cloud-storage). | ||
| 1. Make the server to | ||
| [reload the updated configuration]({% link _docs/latest/use/cli/server.md %}). |
There was a problem hiding this comment.
If we want the user to reload manually, we will need another step to pull from the gcs bucket in the server VM before reloading the config.
| Run the Forseti [Installer]({% link _docs/latest/setup/install.md %}). | ||
|
|
||
| By default, the installer will try to assign org-level roles. If you are not | ||
| Org Admin, there will be errors, but you can safely disregard, as you will |
There was a problem hiding this comment.
I think there should be an an, not an org admin
|
|
||
| By default, the installer will try to assign org-level roles. If you are not | ||
| Org Admin, there will be errors, but you can safely disregard, as you will | ||
| assign the correct roles later. |
There was a problem hiding this comment.
Should we make it very specific that user will need to assign the roles manually?
joecheuk
pushed a commit
that referenced
this pull request
Sep 26, 2018
* Added 2.0 upgrade instruction (#1769) * Added 2.0 upgrade instruction * Addressed PR comment * Updated broken urls * Added missing gsuite scope (#1772) * Update upgrade.md (#1774) * Added compute engine disk resource (#1779) * Update CSCC doc (#1778) * versioned 2.1 * revert branch to stable * Updated generated configuration files * update versioning (#1791) * Added space between comment and function * Updated app.yaml file * updates * updates * fixed version redirect issues * Update forsetisecurity.org-dev faqs for VM instances security updates… (#1799) * Update forsetisecurity.org-dev faqs for VM instances security updates issue#830 * Changes to PR comments Update forsetisecurity.org-dev faqs for VM instances security updates issue#830 * Adding information about building the website server locally for development. * Adding information about building the website server locally for development. * Making a set of small changes pr comments in PR/1804 * Fixing title that got munged in merge * Making more changes to website section * Responding to an additional comment. * Responding to comments about dep location and ruby virtual environment. * Fixing issue 1801 where links to GitHub for latest are broken. * Update CSCC notifier documentation to list the additional requirements for CSCC (#1808) * Update doc to list the additional requirements for CSCC * Update how to enable API * Fixing issue 1801 where links to GitHub for latest are broken. (#1807) * Responding to comments in PR/1804 * Making an additional round of changes to PR/1804 * Making an additional round of changes to PR/1804 * Noting the updated G Suite Domain-wide Delegation screen. * Fixing typo in documentation * Fixing typo in org policy permission configuration * Updating documentation as `service-management enable` is now `services enable` $ gcloud beta service-management enable admin.googleapis.com ERROR: (gcloud.beta.service-management.enable) The `service-management enable` command has been replaced by `services enable`. * Documenting solution to virtualenv issues on clean Linux install This took literally hours of searching to figure out, so saving others time. * Adding some additional clarification to setup process, specifically g… (#1818) * Adding some additional clarification to setup process, specifically granting ACLs. * Fixing small typo * Responding to comment. * Adding clarifying details for CloudSQL setup (#1819) * Adding clarifying details for CloudSQL setup For example, a new screen UI was introduced in the CloudSQL creation process. * Making requested changes. * Adjusting indent to be four spaces * Adjusting overflow indent * Fix for "mysql_config not found" Showing how to fix "EnvironmentError: mysql_config not found" when MySQL isn't available due to version/license issues. * Updated installation instructions to include steps to install server instance only (#1824) * Updated installation instructions to include steps to install server instance only * Addressed PR comments * Executing specific subset of tests (#1852) Adding some examples for running specific subset of tests. * Adding solution for error repeatedly encountered in forseti setup (#1851) * Adding solution for error repeatedly encountered in forseti setup "bash: workon: command not found" and its solution on Linux machine. * Update setup.md * Add FAQ for adding documentation (#1863) * Add FAQ for adding documentation * tweak * tweak * tweak * tweak * Add the -r flag for requirements.txt (#1877) * Add the -r flag for requirements.txt (#1876) * Add the -r flag for requirements.txt (#1875) * Noting process for running unit tests in Docker after making changes (#1855) * Noting process for running unit tests in Docker after making changes * Updated website with instructions to modify cron job (#1906) * updated website with instructions to modify cron job * addressed comment on cron job update * adjusted line * adjusted line break * Forsetisecurity.org Add snapshots to Resource Coverage on website (#1912) * Add compute snapshots to covered resources * Fix link for compute engine disks * Updated documentation that G Suite is optional * Updated documentation * recent changes updated (#1933) * Add entry in FAQ for Terraform deployment (#1939) * Add entry in FAQ for Terraform deployment * Fixed typo * Update deploy-using-terraform.md * v2.2 website created (#1948) * Updated website with Slack information and office hours (#1950) * Updated website with Slack and office hours info * Updated website with slack info and office hours * Update upgrade instructions (#1966) * updates * git command updated * updates * pin sphinx version to 177 (#1987) * Update rules.md with new BigQuery syntax (#1984) * Update rules.md with new BigQuery syntax Partially fix #1937. * update deprecated notice * typos corrected (#1988) * created version v2.3.0 * added sphinx docs * Fix testing instructions (#1993) * Fix testing instructions * Adjust docs to match @blueandgold's suggestion from #1998 * Document the new sequential step-upgrade process. (#2016) * Document new upgrade process. * updates * formated md * Addressed PR comments * updates * updates * Added compute instance reset step * addressed PR comments * fixed broken urls * Add Documentation to Install and Configure Non-Org Root (#2039) * add doc for non-org root * tweak * tweak * tweak * tweak * tweak * reorganize doc for clarity * address comments * website publish v2.4
blueandgold
pushed a commit
that referenced
this pull request
Oct 5, 2018
* Added 2.0 upgrade instruction (#1769) * Added 2.0 upgrade instruction * Addressed PR comment * Updated broken urls * Added missing gsuite scope (#1772) * Update upgrade.md (#1774) * Added compute engine disk resource (#1779) * Update CSCC doc (#1778) * versioned 2.1 * revert branch to stable * Updated generated configuration files * update versioning (#1791) * Added space between comment and function * Updated app.yaml file * updates * updates * fixed version redirect issues * Update forsetisecurity.org-dev faqs for VM instances security updates… (#1799) * Update forsetisecurity.org-dev faqs for VM instances security updates issue#830 * Changes to PR comments Update forsetisecurity.org-dev faqs for VM instances security updates issue#830 * Adding information about building the website server locally for development. * Adding information about building the website server locally for development. * Making a set of small changes pr comments in PR/1804 * Fixing title that got munged in merge * Making more changes to website section * Responding to an additional comment. * Responding to comments about dep location and ruby virtual environment. * Fixing issue 1801 where links to GitHub for latest are broken. * Update CSCC notifier documentation to list the additional requirements for CSCC (#1808) * Update doc to list the additional requirements for CSCC * Update how to enable API * Fixing issue 1801 where links to GitHub for latest are broken. (#1807) * Responding to comments in PR/1804 * Making an additional round of changes to PR/1804 * Making an additional round of changes to PR/1804 * Noting the updated G Suite Domain-wide Delegation screen. * Fixing typo in documentation * Fixing typo in org policy permission configuration * Updating documentation as `service-management enable` is now `services enable` $ gcloud beta service-management enable admin.googleapis.com ERROR: (gcloud.beta.service-management.enable) The `service-management enable` command has been replaced by `services enable`. * Documenting solution to virtualenv issues on clean Linux install This took literally hours of searching to figure out, so saving others time. * Adding some additional clarification to setup process, specifically g… (#1818) * Adding some additional clarification to setup process, specifically granting ACLs. * Fixing small typo * Responding to comment. * Adding clarifying details for CloudSQL setup (#1819) * Adding clarifying details for CloudSQL setup For example, a new screen UI was introduced in the CloudSQL creation process. * Making requested changes. * Adjusting indent to be four spaces * Adjusting overflow indent * Fix for "mysql_config not found" Showing how to fix "EnvironmentError: mysql_config not found" when MySQL isn't available due to version/license issues. * Updated installation instructions to include steps to install server instance only (#1824) * Updated installation instructions to include steps to install server instance only * Addressed PR comments * Executing specific subset of tests (#1852) Adding some examples for running specific subset of tests. * Adding solution for error repeatedly encountered in forseti setup (#1851) * Adding solution for error repeatedly encountered in forseti setup "bash: workon: command not found" and its solution on Linux machine. * Update setup.md * Add FAQ for adding documentation (#1863) * Add FAQ for adding documentation * tweak * tweak * tweak * tweak * Add the -r flag for requirements.txt (#1877) * Add the -r flag for requirements.txt (#1876) * Add the -r flag for requirements.txt (#1875) * Noting process for running unit tests in Docker after making changes (#1855) * Noting process for running unit tests in Docker after making changes * Updated website with instructions to modify cron job (#1906) * updated website with instructions to modify cron job * addressed comment on cron job update * adjusted line * adjusted line break * Forsetisecurity.org Add snapshots to Resource Coverage on website (#1912) * Add compute snapshots to covered resources * Fix link for compute engine disks * Updated documentation that G Suite is optional * Updated documentation * recent changes updated (#1933) * Add entry in FAQ for Terraform deployment (#1939) * Add entry in FAQ for Terraform deployment * Fixed typo * Update deploy-using-terraform.md * v2.2 website created (#1948) * Updated website with Slack information and office hours (#1950) * Updated website with Slack and office hours info * Updated website with slack info and office hours * Update upgrade instructions (#1966) * updates * git command updated * updates * pin sphinx version to 177 (#1987) * Update rules.md with new BigQuery syntax (#1984) * Update rules.md with new BigQuery syntax Partially fix #1937. * update deprecated notice * typos corrected (#1988) * created version v2.3.0 * added sphinx docs * Fix testing instructions (#1993) * Fix testing instructions * Adjust docs to match @blueandgold's suggestion from #1998 * Document the new sequential step-upgrade process. (#2016) * Document new upgrade process. * updates * formated md * Addressed PR comments * updates * updates * Added compute instance reset step * addressed PR comments * fixed broken urls * Add Documentation to Install and Configure Non-Org Root (#2039) * add doc for non-org root * tweak * tweak * tweak * tweak * tweak * reorganize doc for clarity * address comments * website publish v2.4 * Cloud Asset Inventory documentation (#2054) * CAI documentation * updated cai doc page * addressed comments * added bucket level role * documented steps to enable cai while upgrading * added gcloud command * fixed quotes around command * added steps to upgrade from v2.4 to v2.5 * reorganized steps by placing both the gcloud command steps together * need to add a service account role * updates * updates * updates * Added lien scanner config update instructions * travis updates * updates * Created v2.5.0.
joecheuk
added a commit
that referenced
this pull request
Oct 19, 2018
* Added 2.0 upgrade instruction (#1769) * Added 2.0 upgrade instruction * Addressed PR comment * Updated broken urls * Added missing gsuite scope (#1772) * Update upgrade.md (#1774) * Added compute engine disk resource (#1779) * Update CSCC doc (#1778) * versioned 2.1 * revert branch to stable * Updated generated configuration files * update versioning (#1791) * Added space between comment and function * Updated app.yaml file * updates * updates * fixed version redirect issues * Update forsetisecurity.org-dev faqs for VM instances security updates… (#1799) * Update forsetisecurity.org-dev faqs for VM instances security updates issue#830 * Changes to PR comments Update forsetisecurity.org-dev faqs for VM instances security updates issue#830 * Adding information about building the website server locally for development. * Adding information about building the website server locally for development. * Making a set of small changes pr comments in PR/1804 * Fixing title that got munged in merge * Making more changes to website section * Responding to an additional comment. * Responding to comments about dep location and ruby virtual environment. * Fixing issue 1801 where links to GitHub for latest are broken. * Update CSCC notifier documentation to list the additional requirements for CSCC (#1808) * Update doc to list the additional requirements for CSCC * Update how to enable API * Fixing issue 1801 where links to GitHub for latest are broken. (#1807) * Responding to comments in PR/1804 * Making an additional round of changes to PR/1804 * Making an additional round of changes to PR/1804 * Noting the updated G Suite Domain-wide Delegation screen. * Fixing typo in documentation * Fixing typo in org policy permission configuration * Updating documentation as `service-management enable` is now `services enable` $ gcloud beta service-management enable admin.googleapis.com ERROR: (gcloud.beta.service-management.enable) The `service-management enable` command has been replaced by `services enable`. * Documenting solution to virtualenv issues on clean Linux install This took literally hours of searching to figure out, so saving others time. * Adding some additional clarification to setup process, specifically g… (#1818) * Adding some additional clarification to setup process, specifically granting ACLs. * Fixing small typo * Responding to comment. * Adding clarifying details for CloudSQL setup (#1819) * Adding clarifying details for CloudSQL setup For example, a new screen UI was introduced in the CloudSQL creation process. * Making requested changes. * Adjusting indent to be four spaces * Adjusting overflow indent * Fix for "mysql_config not found" Showing how to fix "EnvironmentError: mysql_config not found" when MySQL isn't available due to version/license issues. * Updated installation instructions to include steps to install server instance only (#1824) * Updated installation instructions to include steps to install server instance only * Addressed PR comments * Executing specific subset of tests (#1852) Adding some examples for running specific subset of tests. * Adding solution for error repeatedly encountered in forseti setup (#1851) * Adding solution for error repeatedly encountered in forseti setup "bash: workon: command not found" and its solution on Linux machine. * Update setup.md * Add FAQ for adding documentation (#1863) * Add FAQ for adding documentation * tweak * tweak * tweak * tweak * Add the -r flag for requirements.txt (#1877) * Add the -r flag for requirements.txt (#1876) * Add the -r flag for requirements.txt (#1875) * Noting process for running unit tests in Docker after making changes (#1855) * Noting process for running unit tests in Docker after making changes * Updated website with instructions to modify cron job (#1906) * updated website with instructions to modify cron job * addressed comment on cron job update * adjusted line * adjusted line break * Forsetisecurity.org Add snapshots to Resource Coverage on website (#1912) * Add compute snapshots to covered resources * Fix link for compute engine disks * Updated documentation that G Suite is optional * Updated documentation * recent changes updated (#1933) * Add entry in FAQ for Terraform deployment (#1939) * Add entry in FAQ for Terraform deployment * Fixed typo * Update deploy-using-terraform.md * v2.2 website created (#1948) * Updated website with Slack information and office hours (#1950) * Updated website with Slack and office hours info * Updated website with slack info and office hours * Update upgrade instructions (#1966) * updates * git command updated * updates * pin sphinx version to 177 (#1987) * Update rules.md with new BigQuery syntax (#1984) * Update rules.md with new BigQuery syntax Partially fix #1937. * update deprecated notice * typos corrected (#1988) * created version v2.3.0 * added sphinx docs * Fix testing instructions (#1993) * Fix testing instructions * Adjust docs to match @blueandgold's suggestion from #1998 * Document the new sequential step-upgrade process. (#2016) * Document new upgrade process. * updates * formated md * Addressed PR comments * updates * updates * Added compute instance reset step * addressed PR comments * fixed broken urls * Add Documentation to Install and Configure Non-Org Root (#2039) * add doc for non-org root * tweak * tweak * tweak * tweak * tweak * reorganize doc for clarity * address comments * website publish v2.4 * Cloud Asset Inventory documentation (#2054) * CAI documentation * updated cai doc page * addressed comments * added bucket level role * documented steps to enable cai while upgrading * added gcloud command * fixed quotes around command * added steps to upgrade from v2.4 to v2.5 * reorganized steps by placing both the gcloud command steps together * need to add a service account role * updates * updates * updates * Added lien scanner config update instructions * travis updates * updates * Created v2.5.0. * forsetisecurity.org dev newsupdates (#2087) * October 2018 forsetisecurity.org news posts (#2085) * Cloud Asset Inventory * Forseti Day '18 London * Adjust pagination value for news posts (#2086) * Update 2018-10-08-forseti-cai.md * Update 2018-10-08-forseti-cai.md * Updated documentation with location details to create bucket for CAI (#2102) * doc updated * updated doc for cai bucket update * updated bucket location * Added steps to upgrade from v2.5 to v2.6 (#2112) * added steps to upgrade from v2.5 to v2.6 * fixed typos * updated doc with the role * adjusted line * added scanner and notifier * Added 2.0 upgrade instruction (#1769) * Added 2.0 upgrade instruction * Addressed PR comment * Updated broken urls * Update upgrade.md (#1774) * Added compute engine disk resource (#1779) * Update CSCC doc (#1778) * versioned 2.1 * revert branch to stable * Updated generated configuration files * update versioning (#1791) * Updated app.yaml file * updates * updates * fixed version redirect issues * Adding information about building the website server locally for development. * Making a set of small changes pr comments in PR/1804 * Making more changes to website section * Responding to an additional comment. * Responding to comments about dep location and ruby virtual environment. * Update CSCC notifier documentation to list the additional requirements for CSCC (#1808) * Update doc to list the additional requirements for CSCC * Update how to enable API * Responding to comments in PR/1804 * Making an additional round of changes to PR/1804 * Making an additional round of changes to PR/1804 * Fixing typo in documentation * Fixing typo in org policy permission configuration * Documenting solution to virtualenv issues on clean Linux install This took literally hours of searching to figure out, so saving others time. * Adding some additional clarification to setup process, specifically g… (#1818) * Adding some additional clarification to setup process, specifically granting ACLs. * Fixing small typo * Responding to comment. * Fix for "mysql_config not found" Showing how to fix "EnvironmentError: mysql_config not found" when MySQL isn't available due to version/license issues. * Updated installation instructions to include steps to install server instance only (#1824) * Updated installation instructions to include steps to install server instance only * Addressed PR comments * Executing specific subset of tests (#1852) Adding some examples for running specific subset of tests. * Adding solution for error repeatedly encountered in forseti setup (#1851) * Adding solution for error repeatedly encountered in forseti setup "bash: workon: command not found" and its solution on Linux machine. * Update setup.md * Add the -r flag for requirements.txt (#1876) * Noting process for running unit tests in Docker after making changes (#1855) * Noting process for running unit tests in Docker after making changes * Forsetisecurity.org Add snapshots to Resource Coverage on website (#1912) * Add compute snapshots to covered resources * Fix link for compute engine disks * Updated documentation that G Suite is optional * Updated documentation * recent changes updated (#1933) * v2.2 website created (#1948) * Update upgrade instructions (#1966) * updates * git command updated * updates * typos corrected (#1988) * created version v2.3.0 * added sphinx docs * Document the new sequential step-upgrade process. (#2016) * Document new upgrade process. * updates * formated md * Addressed PR comments * updates * updates * Added compute instance reset step * addressed PR comments * fixed broken urls * website publish v2.4 * Cloud Asset Inventory documentation (#2054) * CAI documentation * updated cai doc page * addressed comments * added bucket level role * documented steps to enable cai while upgrading * added gcloud command * fixed quotes around command * added steps to upgrade from v2.4 to v2.5 * reorganized steps by placing both the gcloud command steps together * need to add a service account role * updates * updates * updates * Added lien scanner config update instructions * travis updates * updates * Created v2.5.0. * forsetisecurity.org dev newsupdates (#2087) * October 2018 forsetisecurity.org news posts (#2085) * Cloud Asset Inventory * Forseti Day '18 London * Adjust pagination value for news posts (#2086) * Update 2018-10-08-forseti-cai.md * Update 2018-10-08-forseti-cai.md * Updated documentation with location details to create bucket for CAI (#2102) * doc updated * updated doc for cai bucket update * updated bucket location * Added steps to upgrade from v2.5 to v2.6 (#2112) * added steps to upgrade from v2.5 to v2.6 * fixed typos * updated doc with the role * adjusted line * added scanner and notifier * Add orgpolicy viewer role to latest documentation * Removed orgpolicy viewer role from 2.4 documentation * Created version 2.6
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Thanks for opening a Pull Request!
Here's a handy checklist to ensure your PR goes smoothly.
pylint --rcfile=pylintrcpasses.These guidelines and more can be found in our contributing guidelines.