Use global superuser (admin) to create OpenShift Projects on behalf of users

[ALRubinger]

Currently we log in and make projects as a user; instead we really need to, as an admin, make projects for users and grant them access.

[ALRubinger]

Existing code in question in Fabric8OpenShiftClientServiceImpl:

final Config config = new ConfigBuilder().
                withMasterUrl(apiUrl).
                withUsername("admin"). //TODO externalize or account for this?
                withPassword("admin"). // TODO externalize or account for this?
                withTrustCerts(true). //TODO never do this in production as it opens us to man-in-the-middle attacks
                build();

[pmuir]

I can take a go at this tomorrow.

[pmuir]

I made a start on this, and I think the answer is to create a rolebinding from the user(s) to the project. This means I will need to alter the OpenShiftService to look like

public OpenShiftProject createProject(final String name, List<String> userNames) throws
            DuplicateProjectException,
            IllegalArgumentException

At the moment I'm not sure on a couple of things:

1. How I would log in properly as the cluster-admin
2. How I get a list of role refs to bind.

[ALRubinger]

TBH I'm learning as I go to so don't have insight offhand, but hey sure run with it! :) I'll take over if you get stuck/busy.

[ALRubinger]

Maybe just a bit more clearly:

public OpenShiftProject createProject(final String projectName, String userName) throws
            DuplicateProjectException,
            IllegalArgumentException

And then on the impl side we can support List<String> userNames, but let's not open up the API to operations we don't have a use case for yet; can always add an overloaded createProject later if we need to associate a project with N usernames.

[ALRubinger]

ALR needs to open a discussion on this to kontinuity-dev-public and work through some technical and logistics stuff with Clayton; we will never get cluster-admin rights on Online.

[ALRubinger]

Discussion thread on this https://www.redhat.com/archives/kontinuity-dev-public/2016-April/msg00003.html

[ALRubinger]

Resurrected. Going down the OAuth route by nature of creating an OAuth client as cluster-admin for the Catapult application.

oc --config=openshift.local.config/master/admin.kubeconfig get oauthclients -o yaml

oc --config=openshift.local.config/master/admin.kubeconfig create -f <(echo '
kind: OAuthClient
apiVersion: v1
metadata:
 name: redhatdevelopers-catapult-local
secret: 3f23735ce5984601fcb93c5c3ecf4b71d7c8cbfa 
redirectURIs:
 - "http://127.0.0.1:8080/api/openshift/callback" 
grantMethod: prompt 
')

[ALRubinger]

https://docs.openshift.org/latest/rest_api/index.html#rest-api-index
https://docs.openshift.org/latest/architecture/additional_concepts/authentication.html#oauth

[ALRubinger]

Now we handle this by getting auth from the user and using the user's token to execute on the OpenShift API