[ODC-4388] Allow cluster admins to create terminals #7145
Conversation
openshift-ci-robot
added
component/core
|
Hi @JPinkney. Thanks for your PR. I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
JPinkney
changed the title
frontend/packages/console-app/src/components/cloud-shell/CloudShellTerminal.tsx
Show resolved
Hide resolved
|
This is aligned with one of our committed epics - confirmed that this is not dependent on updated to the WTO. @christianvogt can you help get reviews on this? |
There was a problem hiding this comment.
Tested on crc (1.18.0+bb304aa with OpenShift 4.6) with my built console and everything works as expected:
- Cluster admin is not able to exec into developer workspace.
- Cluster admin gets terminal in openshift-terminal namespace.
- Console ignores all terminals which are not in openshift-terminal namespace for cluster admin.
- Backend denies to /exec/init for cluster admin if terminal is not in openshift-terminal.
Good job!
frontend/packages/console-app/src/components/cloud-shell/useCloudShellWorkspace.ts
Outdated
Show resolved
Hide resolved
frontend/packages/console-app/src/components/cloud-shell/setup/CloudShellAdminSetup.tsx
Outdated
Show resolved
Hide resolved
frontend/packages/console-app/src/components/cloud-shell/setup/CloudShellAdminSetup.tsx
Outdated
Show resolved
Hide resolved
frontend/packages/console-app/src/components/cloud-shell/setup/CloudShellAdminSetup.tsx
Outdated
Show resolved
Hide resolved
|
Tried this and works as expected on the surface. |
|
@christianvogt Regarding:
Can you try with the latest changes? I just got a fresh cluster from cluster bot and deployed the changes and looks like I can't reproduce anymore |
|
/ok-to-test |
openshift-ci-robot
added
ok-to-test
|
/retest |
|
@sleshchenko @JPinkney is everything on the backend good now? Sorry I haven't been following what's needed on the backend changes. |
|
Yeah, everything should be good on the backend and frontend now |
|
/lgtm |
|
I tried again on cluster bot and everything worked for the admin and normal user. |
|
/retest |
frontend/packages/console-app/src/components/cloud-shell/CloudShellTerminal.tsx
Outdated
Show resolved
Hide resolved
frontend/packages/console-app/src/components/cloud-shell/CloudShellTerminal.tsx
Outdated
Show resolved
Hide resolved
frontend/packages/console-app/src/components/cloud-shell/setup/CloudShellAdminSetup.tsx
Show resolved
Hide resolved
frontend/packages/console-app/src/components/cloud-shell/CloudShellTerminal.tsx
Outdated
Show resolved
Hide resolved
|
front end changes lgtm. Waiting for cluster bot to test again. |
There was a problem hiding this comment.
/approve
Backend changes LGTM. I will let @christianvogt give final lgtm. Thanks!
openshift-ci-robot
added
approved
…mespace Modify backend proxy check to allow cluster admins if and only if their terminal is in the openshift-terminal namespace Only search for terminals in openshift-terminal namespace when using cluster admin Rework terminal proxy to use isClusterAdmin for checking if the user can access the terminal Use error status to see if namespace exists in CloudShellAdminSetup Return false if namespace is not found in CloudShellAdminSetup instead of displaying error. The reason we need to do this is if you set the error the terminal will flash quickly with the error before switching to the newly created terminal. Make subject access review request against openshift-terminal namespace Display loading screen until admin check has finished Signed-off-by: Josh Pinkney <joshpinkney@gmail.com>
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: christianvogt, JPinkney, serenamarie125, sleshchenko, spadgett The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This PR is part of https://issues.redhat.com/browse/ODC-4388 which is for giving privileged users access to create terminal.
Currently, the flow is:
If the user is a cluster-admin then deny them from opening a terminal.
Now, the flow is:
If the user is a cluster-admin then automatically create their terminal in a secure openshift-terminal namespace. If the openshift-terminal namespace does not exist then create it.
The backend code then checks if the current user is a cluster-admin and if they are then check that the workspace they are trying to access is in the openshift-terminal namespace.
Before: https://www.youtube.com/watch?v=TUri-TE52UA
After: https://www.youtube.com/watch?v=v6Xy7LKbYrU
You can test with:
quay.io/jpinkney/console:515Signed-off-by: Josh Pinkney joshpinkney@gmail.com