openstack privileges documented #4214
Conversation
docs/user/openstack/privileges.md
Outdated
| @@ -0,0 +1,51 @@ | |||
| # Required Privileges | |||
|
|
|||
| In order to install an OpenShift cluster on OpenStack successfully, the user provided to the installer needs certian privileges. The easiest way to achieve this level of permission and ensure success is to install with a user who has administrative privileges. | |||
There was a problem hiding this comment.
EDIT: Just bringing a bit of context since the file was correctly updated (not sure if it was brought here before).
I don't think that a Keystone user has to get admin Keystone role into its Keystone project.
Example given, I'm currently a regular user of Red Hat's internal OpenStack Cloud (PSI), and I only have the member role into my Keystone project and I can deploy OpenShift just fine. I would create the necessary resources (VMs, volumes, networks, FIPs, etc) without permission error.
If I understand your wording here is that it would be required to obtain admin role in the project but I don't think that would be 1) necessary and 2) secure for the cloud admins to give admin power to their users.
docs/user/openstack/privileges.md
Outdated
| | Resource | Permissions | | ||
| | --- | --- | | ||
| | Instance | All | | ||
| | Availibility Zone | Read | |
docs/user/openstack/privileges.md
Outdated
|
|
||
| ## Bring Your Own Networks | ||
|
|
||
| Using the [bring your own networks feature](https://github.com/openshift/installer/blob/master/docs/user/openstack/customization.md#custom-subnets) will allow you use already prepared networking infrastrucutre. This would mean that an installation using this feature for all nodes will no longer require any permissions for Networks, Subnets, and Routers. |
docs/user/openstack/privileges.md
Outdated
|
|
||
| ## Floating IP Free Installs | ||
|
|
||
| By leaving the `externalNetwork`, `ingressFloatingIP`, and `appsFloatingIP` fields empty, you can run the installer without creating, deleting, or modifiying any floating IPs. Running the installer this way does not require you to have any Floating IP Privileges. |
docs/user/openstack/privileges.md
Outdated
| @@ -0,0 +1,51 @@ | |||
| # Required Privileges | |||
|
|
|||
| In order to install an OpenShift cluster on OpenStack successfully, the user provided to the installer needs certian privileges. The easiest way to achieve this level of permission and ensure success is to install with a user who has administrative privileges. | |||
There was a problem hiding this comment.
That's a bit like saying the easiest way to run a program on a *nix system is to run as root. Since ShiftOnStack deployments are intended to be usable by regular users without any special privileges I'd advocate for a document that notes default user privileges as such and any needed departures from these. Each departure represents a service ticket the user must open to the OSP administrator (think "help" ticket to PSI) rather than self-service IAAS that OSP is supposed to provide regular users.
There was a problem hiding this comment.
Do you know where I can find better documentation about what permissions a default openstack user has @tombarron ? I have been having a hard time finding that information
There was a problem hiding this comment.
I agree, we should recommend not to use administrative privileges!
There was a problem hiding this comment.
I can't tell you all the default permissions for OpenStack because there are so many different OpenStack components but in general when an OpenStack user is created it is added to a Keystone "project" and the user has permission to create, list, show, update, and delete OpenStack resources in the context of that project -- Nova VMs, Neutron networks and routers, floating IPs, glance images, cinder volumes, manila shares, and so on.
These are the ordinary permissions that a user gets on PSI without asking for extras. IIRC, the only extra permission needed (that would require a ticket to the PSI admins) was the Swift operator role and that is no longer required either?
There was a problem hiding this comment.
Perhaps the best way to capture the normal user default permissions is in terms of the "member" role as explained here [1] and here [2]. An ordinary user with the "member" role rather than "admin" role should be able to install an OCP cluster on OpenStack in the context of their own keystone project. That way there can be hundreds of independent, unrelated OCP clusters belonging to different regular users. OpenStack is a "private cloud" version of Infrastructure As A Service -- more like AWS or GCP than virtualization platforms like RHEV and vSphere where a regular user without additional privileges cannot create VMs or other required resources.
[1] https://docs.openstack.org/keystone/latest/admin/service-api-protection.html
[2] https://wiki.openstack.org/wiki/User_Management
There was a problem hiding this comment.
Thanks for all the info, its very helpful. I will restructure this section to steer customers away from using admin users and to define what permissions the member level account will need more clearly.
There was a problem hiding this comment.
Well thank you for understanding, and for this work!
There was a problem hiding this comment.
yeah! I agree! It is better to explain the priviledge for OpenStack in the OpenStack way, so saying "member" role rather than "all" is way more accurate
docs/user/openstack/privileges.md
Outdated
|
|
||
| | Resource | Permissions | | ||
| | --- | --- | | ||
| | Network | All | |
There was a problem hiding this comment.
probably all permissions is not what you need here either, for instance, you just need to be able to create a network and a router and then connect them to the external/provider network, but you don't need to permissions to create the external network
There was a problem hiding this comment.
Would calling this "Private Network" be more clear?
iamemilio
force-pushed
the
permissions_docs_openstack
branch
from
877b2a6
to
7d159bc
Compare
|
@tombarron Does this look better? |
|
@Fedosin Do we need any permissions that I didn't include here for Manilla? |
docs/user/openstack/privileges.md
Outdated
|
|
||
| ## Bring Your Own Networks | ||
|
|
||
| Using the [bring your own networks feature](https://github.com/openshift/installer/blob/master/docs/user/openstack/customization.md#custom-subnets) will allow you use already prepared networking infrastructure. This would mean that an installation using this feature will only need permissions to read Private Networks, Subnets, and Routers. The user will still need to be able to create ports on these intrefaces though. |
docs/user/openstack/privileges.md
Outdated
| @@ -0,0 +1,49 @@ | |||
| # Required Privileges | |||
|
|
|||
| In order to succesfully deploy an OpenShift cluster on OpenStack, the user passed to the installer will need a particular set of permissions in a given project. This document will guide you through what permissions the installer's user need based on the type of install it runs. | |||
|
ACK, I will make those changes and follow up. Thanks! |
iamemilio
force-pushed
the
permissions_docs_openstack
branch
from
7d159bc
to
10227ea
Compare
|
@tombarron LMK what you think |
docs/user/openstack/privileges.md
Outdated
| @@ -0,0 +1,49 @@ | |||
| # Required Privileges | |||
|
|
|||
| In order to succesfully deploy an OpenShift cluster on OpenStack, the user passed to the installer needs a particular set of permissions in a given project. We believe that the average user with a member role in a project will already have most, if not all, of the privelages enumerated here. However, due to how much variance there is in how OpenStack clusters are deployed and managed, we designed this document as a guide for the basic permissions needed for an install based on your use case. | |||
iamemilio
force-pushed
the
permissions_docs_openstack
branch
from
10227ea
to
c00a964
Compare
docs/user/openstack/privileges.md
Outdated
|
|
||
| ## Default Install Privileges | ||
|
|
||
| To install a basic, externally routable, IPI OpenShift cluster using only whats offered in the installer prompts, your user needs this minimum subset of permissions. |
There was a problem hiding this comment.
I still think the below priviledges are wrong, you don't need all the permissions for ports, router, subnets,... just the "default" ones in most of the cases. You for instance don't need permissions to modify/delete ports in you subnet whose device onwer is router_interface or things like that. So the next information is misleading
|
/hold Going to pivot to using the tripleo default member user template for more accurate representation of permissions. |
openshift-ci-robot
added
the
do-not-merge/hold
iamemilio
force-pushed
the
permissions_docs_openstack
branch
from
c00a964
to
fa06c6e
Compare
|
/hold cancel talked to some open stack folks, and they didn't think it was reasonable to enumerate the permissions, and advocated for just recommending creating a user with the member role. |
openshift-ci-robot
removed
the
do-not-merge/hold
iamemilio
force-pushed
the
permissions_docs_openstack
branch
3 times, most recently
from
87d6cf7
to
279e5fe
Compare
|
@iamemilio: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
docs/user/openstack/README.md
Outdated
| @@ -71,6 +72,8 @@ You may need to increase the security group related quotas from their default va | |||
| openstack quota set --secgroups 8 --secgroup-rules 100 <project>` | |||
| ``` | |||
|
|
|||
| Once you configure the quota for your tenant, please ensure that the user for the installer has the proper [privileges](privileges.md). | |||
There was a problem hiding this comment.
"for your project" for consistency.
docs/user/openstack/privileges.md
Outdated
|
|
||
| ## Bring Your Own Networks | ||
|
|
||
| Using the [bring your own networks feature](https://github.com/openshift/installer/blob/master/docs/user/openstack/customization.md#custom-subnets) will allow you use already prepared networking infrastructure. As long as you are not using Kuryr, using this feature enables the user to not need permission to create/delete networks, subnets, routers, and router interfaces. However it will still need to be able to read them, tag them, and create/read/modify/delete ports on a given network and subnet. Note that if you are using Kuryr, you will still need the full set of permissions of the *member* role. |
There was a problem hiding this comment.
"will allow you to use already"
docs/user/openstack/privileges.md
Outdated
|
|
||
| ## Bring Your Own Networks | ||
|
|
||
| Using the [bring your own networks feature](https://github.com/openshift/installer/blob/master/docs/user/openstack/customization.md#custom-subnets) will allow you use already prepared networking infrastructure. As long as you are not using Kuryr, using this feature enables the user to not need permission to create/delete networks, subnets, routers, and router interfaces. However it will still need to be able to read them, tag them, and create/read/modify/delete ports on a given network and subnet. Note that if you are using Kuryr, you will still need the full set of permissions of the *member* role. |
iamemilio
force-pushed
the
permissions_docs_openstack
branch
from
279e5fe
to
ce23427
Compare
|
/hold |
openshift-ci-robot
added
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Fedosin, tombarron The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
/hold cancel Passed codegen, doc changes should not need to pass e2e tests |
openshift-ci-robot
removed
the
do-not-merge/hold
Document the bare minimum permissions needed to install a cluster on openstack.