Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RBAC Migration Followup #6: new-project with RBAC? #15818

Closed
enj opened this issue Aug 17, 2017 · 6 comments
Closed

RBAC Migration Followup #6: new-project with RBAC? #15818

enj opened this issue Aug 17, 2017 · 6 comments
Assignees
@simo5
Labels
area/security area/techdebt component/auth priority/P1 sig/security
Milestone
v3.7

Comments

@enj
Copy link
Contributor

enj commented Aug 17, 2017

Should project creation use RBAC instead of proxy endpoints?
@simo5 simo5 mentioned this issue Aug 17, 2017
Merged
67 tasks
@enj enj modified the milestone: 3.7.0 Aug 17, 2017
@simo5 simo5 added the help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. label Aug 22, 2017
@enj
Copy link
Contributor Author

enj commented Aug 23, 2017

The project creation flow for a normal user is:

  1. User submits a project request
  2. The server internally creates a set of resources based on a template
  3. The template is configurable but by default it creates:
    • A project (namespace)
    • SA role bindings
    • A role binding that gives the requesting user admin rights to the project
  4. The server waits up to ~6 seconds for the auth cache to be in sync with the last binding

The creation of these bindings uses the proxied endpoints because they are defined using Origin auth resources instead of the RBAC ones. I believe we can skip the extra indirection in this case since the server should only talk to its own loopback interface (so this should not cause issues during a rolling update).

@deads2k @liggitt do you have any concerns with this?

@liggitt
Copy link
Contributor

liggitt commented Aug 23, 2017

is there a reason not to keep it as-is for one release, then switch?

@enj
Copy link
Contributor Author

enj commented Aug 23, 2017

is there a reason not to keep it as-is for one release, then switch?

@liggitt just trying to reduce the surface area of the legacy code as much as possible in 3.7 (any performance improvements are negligible IMO). If you feel this adds unnecessary complexity and risk for 3.7, I can move this to the 3.8 milestone.

@deads2k
Copy link
Contributor

deads2k commented Aug 23, 2017

is there a reason not to keep it as-is for one release, then switch?

It just defers work we need to do. Is there a reason to keep it as-is? The default is only generated and used locally to the process. The loopback speaks back to itself.

@liggitt
Copy link
Contributor

liggitt commented Aug 23, 2017

I don't feel strongly either way.

@simo5 simo5 removed the help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. label Aug 24, 2017
@simo5
Copy link
Contributor

simo5 commented Aug 24, 2017

Sounds like converting is not a big deal here, but we'll need to emit warnings for admins to update their templates when we catch old types

@simo5 simo5 mentioned this issue Aug 24, 2017
Merged
openshift-merge-robot added a commit that referenced this issue Sep 6, 2017
@openshift-merge-robot
Merge pull request #15973 from simo5/newprjrbac
14ebc56 
Automatic merge from submit-queue (batch tested with PRs 15885, 15973, 16000)

Move project creation to use RBAC objects

Also move Service Account Project Role Bindings to RBAC objects

Fixes #15818 
Fixes #15856
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@simo5 simo5

Labels
area/security area/techdebt component/auth priority/P1 sig/security
Projects
None yet
Milestone
v3.7
Development

No branches or pull requests
4 participants
@liggitt @enj @deads2k @simo5