Changing the default for auto escalate to false #503
Conversation
* Also since we are now using 3.7 move to using kubernetes rbac.
openshift-ci-robot
added
the
size/S
shawn-hurley
added
enhancement
needs-review
and removed
size/S
|
This can be merged after #522 is merged. |
@shawn-hurley I'm all for us testing the auth code paths, but is disabling |
|
@rthallisey What do you think about making the deployment template and the generated script to default to true for developers, and moving the default to false for catasb (which has been merged) and then we can set it to true when using the kubernetes playbooks? |
|
My opinion is that I would like for us to be using the broker like it would be used in production, but if you're using the master branch then I would expect the developer experience to be priority so some of the security is going to be off.
@shawn-hurley I'm good with that. I think that covers it. |
openshift-ci-robot
added
the
size/S
|
Seems like you are still auto escalating? To me it makes more sense to always have auto escalating be false and just provision a powerful user in test environments. |
|
@enj all of the downstream environments will be using the correct setting, and in fact, the default for most of the developer's dev environment will also be set false (fusor/catasb#168). The only things that are set to true, are our If the above still makes you uncomfortable, what if we change the default for the template to false and override the parameter for the two cases below? |
|
Generally I feel a lot more comfortable now that you pointed out fusor/catasb#168, but some thoughts:
But why do those need to be different than everyone else's environments?
That seems OK too, but since you are creating a custom environment, why not just grant extra rights to your custom dev user (I am assuming you have something like that)? Then its the user that is doing the action that is different in dev (instead of the entire auth code path being skipped). |
|
@enj the user's that we create will have full access to their namespaces, I think you are correct that it will not affect development in any way. @rthallisey can you please comment if you feel otherwise? I will make another PR to move this back to false as the default, and will not override in the two scripts. |
If you're running locally, then you're doing development primarily on the broker. So the expectation is you are going to be in 'privileged mode'. Like you said @enj, I think while using a local broker we can bump the user's permissions way up so we still use the auth code path. I think that's a better solution. @shawn-hurley lets turn auto-escalate to false and change the service account permissions in the local script. Let me know if folks disagree. |
Describe what this PR does and why we need it:
Changing the default for auto escalate to false. Currently, we are by default testing no authorization code paths, this change will turn on the authorization code paths by default.
Changes proposed in this pull request
AUTO_ESCALATEto falseDoes this PR depend on another PR (Use this to track when PRs should be merged)
depends-on
Should be merged with fusor/catasb#168
Which issue this PR fixes (This will close that issue when PR gets merged)
fixes #429