Add annotations to roles

[enj]

Fixes #11268

Added just the basic bits; now someone tell me what they want to call the annotation... (along with display names and descriptions)

Signed-off-by: Monis Khan mkhan@redhat.com

cc @benjaminapetersen @jwforres @openshift/api-review

[deads2k]

This seems backwards. Since most people will be adding roles that they want users to use, why wouldn't we have an explicit opt-in for exclusion.

[deads2k]

promote the description and display name to a shared package. These cross all api groups.

[deads2k]

Why did you expose this?

[deads2k]

Why did you expose this?

[enj]

@deads2k I exposed those SA-ish roles because there was some talk about making SAs (which may then need these roles to do something). Based on info from @benjaminapetersen and some pruning I have narrowed the data to 8 roles:

$ oc get clusterrole -o jsonpath="{range .items[*]}{.metadata.name}{\" => \"}{.metadata.annotations}{\"\\n\"}{end}" | grep -v 'system-only:true'

system:image-puller => map[openshift.io/display-name:image-puller]
edit => map[openshift.io/description:A user that can modify most objects in a project, but does not have the power to view or modify roles or bindings.]
system:image-builder => map[openshift.io/display-name:image-builder]
basic-user => map[openshift.io/description:A user that can get basic information about projects and users.]
system:image-pusher => map[openshift.io/display-name:image-pusher]
view => map[openshift.io/description:A user who cannot make any modifications, but can see most objects in a project. They cannot view or modify roles or bindings.]
system:deployer => map[openshift.io/display-name:deployer]
admin => map[openshift.io/description:A project manager. If used in a local binding, an admin user will have rights to view any resource in the project and modify any resource in the project except for role creation and quota. If the cluster-admin wants to allow an admin to modify roles, the cluster-admin must create a project-scoped Policy object using JSON.]

display-name usage on 4 SA-ish roles:

$ oc get clusterrole -o jsonpath="{range .items[*]}{.metadata.name}{\" => \"}{.metadata.annotations}{\"\\n\"}{end}" | grep 'display-name'

system:deployer => map[openshift.io/display-name:deployer]
system:image-pusher => map[openshift.io/display-name:image-pusher]
system:image-puller => map[openshift.io/display-name:image-puller]
system:image-builder => map[openshift.io/display-name:image-builder]

The 7 roles with description:

$ oc get clusterrole -o jsonpath="{range .items[*]}{.metadata.name}{\" => \"}{.metadata.annotations}{\"\\n\"}{end}" | grep 'description'

view => map[openshift.io/description:A user who cannot make any modifications, but can see most objects in a project. They cannot view or modify roles or bindings.]
cluster-status => map[authorization.openshift.io/system-only:true openshift.io/description:A user that can get basic cluster status information.]
edit => map[openshift.io/description:A user that can modify most objects in a project, but does not have the power to view or modify roles or bindings.]
cluster-admin => map[authorization.openshift.io/system-only:true openshift.io/description:A super-user that can perform any action in any project. When granted to a user within a local policy, they have full control over quota and roles and every action on every resource in the project.]
basic-user => map[openshift.io/description:A user that can get basic information about projects and users.]
admin => map[openshift.io/description:A project manager. If used in a local binding, an admin user will have rights to view any resource in the project and modify any resource in the project except for role creation and quota. If the cluster-admin wants to allow an admin to modify roles, the cluster-admin must create a project-scoped Policy object using JSON.]
self-provisioner => map[authorization.openshift.io/system-only:true openshift.io/description:A user that can create their own projects.]

[enj]

[test]

[smarterclayton]

We already have annotations for these and they are in the k8s.io namespace.

On Oct 11, 2016, at 3:28 PM, David Eads notifications@github.com wrote:

@deads2k commented on this pull request.

In pkg/cmd/server/bootstrappolicy/policy.go
#11328 (review):

@@ -28,6 +28,19 @@ import (
userapi "github.com/openshift/origin/pkg/user/api"
)

+const (

• // RoleSomething is an annotation that ???
• RoleSomething = "authorization.openshift.io/user-friendly"
• // Do something ???
• RoleSomethingVal = "true"

• // RoleDisplayName is an annotation that stores the name displayed
  when querying for roles
• RoleDisplayName = "openshift.io/display-name"

• // RoleDescription is an annotation that holds the description of the role
• RoleDescription = "openshift.io/description"

promote the description and display name to a shared package. These cross
all api groups.

—
You are receiving this because you are on a team that was mentioned.
Reply to this email directly, view it on GitHub
#11328 (review),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABG_pzHU9EOd5UobN-wk_3MbUg8f56zkks5qy-NegaJpZM4KUAkv
.

[enj]

We want to use k8s.io/display-name and k8s.io/description instead of the openshift equivalents (which we already use in various places)? What about authorization.openshift.io/system-only?

[deads2k]

We want to use k8s.io/display-name and k8s.io/description instead of the openshift equivalents (which we already use in various places)? What about authorization.openshift.io/system-only?

I haven't actually seen these annotations upstream and my grep-fu can't find them. @smarterclayton can I get a pointer to them?

[liggitt]

why do we we want display names on roles? I don't think it's worth the confusion (and possible accidental granting of unintentional powers when a UI is involved) around whether you are dealing with a display name or the actual role name

[benjaminapetersen]

I was messing around with supporting these edge cases via:

ClusterRole: view
Role: view // copied view, but slightly different

Both can exist, but it is confusing. Hopefully the descriptions are clear, but if no descriptions we have a problem. My personal preference would be that roles cannot have the same name as another role, whatever the scope, and don't both with display names. Is there a good reason to allow?

[liggitt]

it's impossible to enforce unique names in different scopes

[liggitt]

I would probably represent local roles as <projectname>/<rolename>. Roles cannot contain / characters, and <projectname>/<rolename> is how the CLI describer prints rolerefs in rolebindings

[benjaminapetersen]

Ok great, I'll run with that.

[benjaminapetersen]

@openshift/api-review @enj

So it's been requested we aim for getting these in for 3.5. It looks like we have a few outstanding questions that need answering at this point:

• We need to confirm the name for this annotation. Is authorization.openshift.io/system-only : true sufficient? @smarterclayton mentioned something may exist in k8s.io, and it isn't exactly clear (may not truly be system-only).
• Confirm the direction of the above annotation. @deads2k suggested adding the annotation to all built-in roles as an exclude, so that any user defined role would be "shown" by default (even if the user does not add the annotation).
• Which annotation to use for descriptions openshift.io/description vs k8s.io/description. We probably need descriptions all roles a user will see by default (not just the 7-8).
• We should verify the default visible roles.
• Get rid of display name.

[benjaminapetersen]

@jwforres fyi above comment

[liggitt]

@deads2k suggested adding the annotation to all built-in roles as an exclude, so that any user defined role would be "shown" by default (even if the user does not add the annotation).

seems like a good idea. if we add annotations to the default roles (for descriptions or a "hide-by-default" flag), we need to make role reconciliation annotation-aware. currently, it preserves all annotations from an existing role object... merging them will require thought.

Which annotation to use for descriptions openshift.io/description vs k8s.io/description

For openshift objects, I would use the openshift annotation

Get rid of display name.

agree

[benjaminapetersen]

I don't think I have a dog in the fight re: role reconciliation, care to comment @enj @deads2k ?

[deads2k]

@enj is this waiting on me for something?

[benjaminapetersen]

@enj / any who are interested, how about openshift.io/internal for the show/hide flag? It seems "system-only" is not exactly truthful. "Internal" is a rather ambiguous word, but that might be good here. The point is simply not to show it, not to describe the reason not to show it (which there could be many).

[enj]

@liggitt so oadm policy reconcile-cluster-roles does not handle roles in pkg/cmd/server/bootstrappolicy/infra_sa_policy.go. Not sure how to deal with that.

Edit: NVM those get force updated.

[liggitt]

not sure we want a package for constants... annotation keys typically go in the API package directly

[enj]

I believe I did that to resolve a circular dependency (but that was a while ago).

[liggitt]

add these annotations in addServiceAccount? aren't all service account roles infra only?

[liggitt]

"...can perform any action in the cluster."?

[liggitt]

remove "using JSON"

[liggitt]

call out that they can't see secrets

[liggitt]

this allows listing projects and getting information about yourself, not users in general

[liggitt]

they can't create their own, they can request projects

[enj]

@liggitt FYI I copied the descriptions verbatim from here so those probably need fixing as well.

[enj]

@liggitt All requested changes have been addressed. @jwforres / @benjaminapetersen Let me know if you guys have any comments on the system-only / description annotations since we do not get to change those later.

[jwforres]

I'm not seeing the roles like system:deployer system:image-puller, system:image-pusher, and system:image-builder. Is there a reason we don't have descriptions on those?

[jwforres]

I don't think we want these getting too technical, these descriptions are for end users deciding why they want to choose one role vs another. What if we simplify this whole thing down to:

"A user that has edit rights within the project and can change the project's membership."

Maybe contentious since membership is a console term?

[enj]

Eh I have heard of membership but I assume it means roles + bindings => policy?

[jwforres]

A user that can create and edit most objects in a project, but can not update the project's membership.

[jwforres]

A user who can view but not edit any resources within the project. They can not view secrets.

[enj]

Isn't the role part important?

[jwforres]

what does this even mean? they can Get/List the project but not get any objects within the project?

[enj]

So we have to be vague enough that the description doesn't get too far out of sync since the specifics of rules will almost certainly change over time. Right now it means:

1. Get info about yourself
2. List projectrequests
3. Get/List clusterroles
4. List storageclasses
5. List/Watch projects

[jwforres]

instead of saying "granted to a user within a local policy" can you say "granted to a user on a project"

[enj]

Maybe "within a project"?

[enj]

I'm not seeing the roles like system:deployer system:image-puller, system:image-pusher, and system:image-builder. Is there a reason we don't have descriptions on those?

@jwforres I copied the descriptions verbatim from here and those were not listed (nor did I have any idea what to describe them as). Maybe @liggitt can provide some?

@liggitt I need your input on @jwforres' suggestions so I can finalize the descriptions.

[enj]

@liggitt This is ready for merge.

[liggitt]

[merge]

[openshift-bot]

Evaluated for origin merge up to d89c5cd

[openshift-bot]

Evaluated for origin test up to d89c5cd

[enj]

@liggitt sanity check confirmed - reconciliation works as expected.

[openshift-bot]

continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/13002/) (Base Commit: cf4e84e)

[enj]

Flake on #12540 #8571

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/13013/) (Base Commit: e4b43ee) (Image: devenv-rhel7_5718)