feat: Allow for the customization of user roles in Che (eclipse-che#2590

) * feat: Allow for the customization of user roles in Che Signed-off-by: Anatolii Bazko <abazko@redhat.com> * fixes Signed-off-by: Anatolii Bazko <abazko@redhat.com> * fixes Signed-off-by: Anatolii Bazko <abazko@redhat.com> * Update modules/administration-guide/pages/configuring-user-cluster-roles.adoc Co-authored-by: Max Leonov <mleonov@redhat.com> * Update modules/administration-guide/pages/configuring-user-cluster-roles.adoc Co-authored-by: Max Leonov <mleonov@redhat.com> * Update modules/administration-guide/pages/configuring-user-cluster-roles.adoc Co-authored-by: Max Leonov <mleonov@redhat.com> * Update modules/administration-guide/pages/configuring-user-cluster-roles.adoc Co-authored-by: Max Leonov <mleonov@redhat.com> * Update modules/administration-guide/pages/configuring-user-cluster-roles.adoc Co-authored-by: Max Leonov <mleonov@redhat.com> * Update modules/administration-guide/pages/configuring-user-cluster-roles.adoc Co-authored-by: Max Leonov <mleonov@redhat.com> * Update modules/administration-guide/pages/configuring-user-cluster-roles.adoc Co-authored-by: Max Leonov <mleonov@redhat.com> * Update modules/administration-guide/pages/configuring-user-cluster-roles.adoc Co-authored-by: Max Leonov <mleonov@redhat.com> * Update modules/administration-guide/nav.adoc Co-authored-by: Max Leonov <mleonov@redhat.com> * Update modules/administration-guide/pages/configuring-user-cluster-roles.adoc Co-authored-by: Max Leonov <mleonov@redhat.com> * Update modules/administration-guide/pages/configuring-user-cluster-roles.adoc Co-authored-by: Max Leonov <mleonov@redhat.com> * Update modules/administration-guide/pages/configuring-user-cluster-roles.adoc Co-authored-by: Max Leonov <mleonov@redhat.com> * Update modules/administration-guide/pages/configuring-user-cluster-roles.adoc Co-authored-by: Max Leonov <mleonov@redhat.com> * Update modules/administration-guide/pages/configuring-user-cluster-roles.adoc Co-authored-by: Max Leonov <mleonov@redhat.com> * Update modules/administration-guide/pages/configuring-user-cluster-roles.adoc Co-authored-by: Max Leonov <mleonov@redhat.com> * Update modules/administration-guide/pages/configuring-user-cluster-roles.adoc Co-authored-by: Max Leonov <mleonov@redhat.com> * Update modules/administration-guide/pages/configuring-user-cluster-roles.adoc Co-authored-by: Max Leonov <mleonov@redhat.com> * Update modules/administration-guide/pages/configuring-user-cluster-roles.adoc Co-authored-by: Max Leonov <mleonov@redhat.com> * Update modules/administration-guide/pages/configuring-user-cluster-roles.adoc * fix: split content into an upstream example file and a downstream example file --------- Signed-off-by: Anatolii Bazko <abazko@redhat.com> Co-authored-by: Max Leonov <mleonov@redhat.com>
rkratky · May 16, 2023 · 5c4bf86 · 5c4bf86
1 parent f7c9b77
commit 5c4bf86
Show file tree

Hide file tree

Showing 3 changed files with 103 additions and 0 deletions.
diff --git a/...administration-guide/examples/snip_che-configuring-cluster-roles-for-users.adoc b/...administration-guide/examples/snip_che-configuring-cluster-roles-for-users.adoc
@@ -0,0 +1,94 @@
+[id="configuring-cluster-roles-for-users"]
+= Configuring cluster roles for {prod-short} users
+
+You can grant {prod-short} users more cluster permissions by adding cluster roles to those users.
+
+.Prerequisites
+
+* An active `{orch-cli}` session with administrative permissions to the destination {orch-name} cluster. See {orch-cli-link}.
+
+.Procedure
+
+. Define the user roles name:
++
+[source,subs="+quotes,+macros"]
+----
+$ USER_ROLES=__<name>__ <1>
+----
+<1> Unique resource name.
+
+. Find out the namespace where the {prod-short} Operator is deployed:
++
+[source,subs="+quotes,+macros,+attributes"]
+----
+$ OPERATOR_NAMESPACE=$({orch-cli} get pods -l app.kubernetes.io/component={prod-operator} -o jsonpath={".items[0].metadata.namespace"} --all-namespaces)
+----
+
+. Create needed roles:
++
+[source,subs="+quotes,+macros"]
+----
+$ kubectl apply -f - <<EOF
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ${USER_ROLES}
+  labels:
+    app.kubernetes.io/part-of: che.eclipse.org
+rules:
+  - verbs:
+      - __<verbs>__ <1>
+    apiGroups:
+      - __<apiGroups>__ <2>
+    resources:
+      - __<resources>__ <3>
+EOF
+----
+<1> As `__<verbs>__`,  list all Verbs that apply to all ResourceKinds and AttributeRestrictions contained in this rule. You can use `*` to represent all verbs.
+<2> As `__<apiGroups>__`, name the APIGroups that contain the resources.
+<3> As `__<resources>__`, list all resources that this rule applies to. You can use `*` to represent all verbs.
+
+. Delegate the roles to the {prod-short} Operator:
++
+[source,subs="+quotes,+macros"]
+----
+$ kubectl apply -f - <<EOF
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ${USER_ROLES}
+  labels:
+    app.kubernetes.io/part-of: che.eclipse.org
+subjects:
+  - kind: ServiceAccount
+    name: che-operator
+    namespace: ${OPERATOR_NAMESPACE}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ${USER_ROLES}
+EOF
+
+----
+
+. Configure the {prod-short} Operator to delegate the roles to the `che` service account:
++
+[source,subs="+quotes,+macros"]
+----
+$ kubectl patch checluster eclipse-che \
+  --patch '{"spec": {"components": {"cheServer": {"clusterRoles": ["'${USER_ROLES}'"]}}}}' \
+  --type=merge -n eclipse-che
+----
+
+. Configure the {prod-short} server to delegate the roles to a user:
++
+[source,subs="+quotes,+macros"]
+----
+$ kubectl patch checluster eclipse-che \
+  --patch '{"spec": {"devEnvironments": {"user": {"clusterRoles": ["'${USER_ROLES}'"]}}}}' \
+  --type=merge -n eclipse-che
+----
+
+. Wait for the rollout of the {prod-short} server components to be completed.
+
+. Ask the user to log out and log in to have the new roles applied.
diff --git a/modules/administration-guide/nav.adoc b/modules/administration-guide/nav.adoc
@@ -67,6 +67,7 @@
 **** xref:configuring-oauth-2-for-the-bitbucket-cloud.adoc[]
 **** xref:configuring-oauth-1-for-a-bitbucket-server.adoc[]
 **** xref:configuring-oauth-2-for-microsoft-azure-devops-services.adoc[]
+*** xref:configuring-cluster-roles-for-users.adoc[]
 *** xref:removing-user-data-in-compliance-with-the-gdpr.adoc[]
 * xref:managing-ide-extensions.adoc[]
 ** xref:extensions-for-microsoft-visual-studio-code-open-source.adoc[]

diff --git a/modules/administration-guide/pages/configuring-cluster-roles-for-users.adoc b/modules/administration-guide/pages/configuring-cluster-roles-for-users.adoc
@@ -0,0 +1,8 @@
+:_content-type: PROCEDURE
+:description: Configuring cluster roles for {prod-short} users
+:keywords: administration-guide, user, roles, permissions
+:navtitle: Configuring cluster roles for {prod-short} users
+:page-aliases:
+
+
+include::example$snip_{project-context}-configuring-cluster-roles-for-users.adoc[]