allow SA oauth clients to list projects#9977
Conversation
|
[test] |
|
Not sure I see the point if the sa won't be able to request permissions or do things in any of those projects |
I think I want a "which projects can this token see". I also want a "show me all projects" endpoint. |
|
Would the scope restrict you so it's possible not to let the SA |
|
That list of scopes is the most a SA could request, not the minimum. |
Shhhh, no one else knows! That's the current state. I think a "what scopes can this token see" endpoint (its not really |
|
The watch is the really nasty part of the filter. I think that a list on projects could be filtered by checking scopes like this:
Given detailed knowledge of scopes and a watch on clusterpolicy and policy, it could be done. Is that a thing we want to do? It seems pretty likely that people will want to do this. |
|
I don't care enough right now but we should put some weasel words in so On Tue, Jul 26, 2016 at 8:58 AM, David Eads notifications@github.com
|
|
Kibana needs to show you a list of projects you have access to see the logs for. Our Elasticsearch plugin also constructs its ACLs based on the list of projects (we could theoretically update the ACLs each time a new project is requested, but this would impact user experience as writing the ACL takes a notable amount of time). With a SA client that gave out tokens with the ability to list projects, we could dispense with the whole deployer circus around creating a specialized oauthclient for this purpose. |
|
If elastic search needs the list of projects you have access to, it should On Wed, Aug 3, 2016 at 10:27 AM, Luke Meyer notifications@github.com
|
It does have to explicitly request it, we're just denying them right now. This pull would allow @sosiouxme to request it. If you want it, just have to merge this guy. |
openshift-bot
added
the
needs-rebase
|
I'm ok with this - eventually this list will be expanded anyway. |
| // UserListProject gives explicit permission to see the projects a user can see. This is often used to prime secondary ACL systems | ||
| // unrelated to openshift and to display projects for selection in a secondary UI. | ||
| UserListProject = UserIndicator + "list-projects" | ||
| UserListAllProjects = UserIndicator + "list-all-projects" |
There was a problem hiding this comment.
I think most people would expect user:list-projects to let you list all the user's projects.
The "list projects my other scopes allow getting" scope is the harder one to understand (and probably less likely to be requested), so I think it has some explaining to do with its name. user:list-scoped-projects? user:list-gettable-projects?
There was a problem hiding this comment.
The "list projects my other scopes allow getting" scope is the harder one to understand (and probably less likely to be requested), so I think it has some explaining to do with its name. user:list-scoped-projects? user:list-gettable-projects?
I'm fine with that. Fun as list-gettable would be, I'll probably go with list-scoped-projects.
There was a problem hiding this comment.
I think most people would expect user:list-projects to let you list all the user's projects.
I'll also point out that most people will probably be using for cases where they think their integration is "trusted", so getting back a project list where you don't have access to the projects sucks. Imagine the web-console as a for instance.
Still updating the names though.
|
@mfojtik can you take a look at the plumbing? |
|
@ewolinetz You may need to update to request |
openshift-bot
removed
the
needs-rebase
|
@deads2k in case you're interested ... the flake that happened there is:
Unfortunately I don't think there's anything we can do about it. |
Retry until you pull it properly? |
|
@deads2k there's no real way of knowing that we have done it "properly" -- there are a number of scenarios where the "proper" code results in a merge conflict as well. |
openshift-bot
added
the
needs-rebase
| UserAccessCheck = UserIndicator + "check-access" | ||
|
|
||
| // UserListProject gives explicit permission to see the projects that this token can see. | ||
| UserListProject = UserIndicator + "list-scoped-projects" |
There was a problem hiding this comment.
make the const names match?
|
Evaluated for origin test up to 067fa42 |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/7972/) |
|
[merge] |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/7972/) (Image: devenv-rhel7_4841) |
|
Evaluated for origin merge up to 067fa42 |
6 participants
Allows an SA being used as an oauth client to list the available projects for this user. This also adds
user:list-all-projectsso that we have one scope for "list projects this token can see based on other permissions" and another for "list all projects this user can see regard of the other permissions on this token"@liggitt @smarterclayton I'm unsure about this, but in my quest to run a personal webconsole I found it was the first request. Running a personal version of a normally cross namespace thing doesn't seem immediately unreasonable.