Instead of having to add users to the project by editing a live rolebinding object (and potentially losing all of it if we ever need to reprovision the project/cluster), source of truth for group membership should come from elsewhere and be synced in. Some suggestions: - a git repo like https://github.com/openshift/release - synced from groups in ACO
@jlebon we have a repository with all the projects and their members in YAML file (which is what we use along with Ansible to create namespaces + role bindings) The repo is private because we have seen concerns from some folks that they don't want to share their ACO email address. Do you mean some other elegant way of handling things? to give more context, we have something like this
coreos-ci ├── coreos-ci.yaml └── customisations └── anyuid-modified-scc.yaml
Metadata Update from @siddharthvipul1: - Issue priority set to: Waiting on Reporter (was: Needs Review)
@jlebon, about the authentication via ACO, that sounds like a good option but we would like to wait for noggin to come up and finally, Fedora and CentOS have the same instance.
we have a repository with all the projects and their members in YAML file (which is what we use along with Ansible to create namespaces + role bindings)
Hmm, right now to add users to a project, I'm doing oc edit rolebindings fedora-coreos-admins. Is that synced out of the cluster into that repo?
oc edit rolebindings fedora-coreos-admins
we have a repository with all the projects and their members in YAML file (which is what we use along with Ansible to create namespaces + role bindings) Hmm, right now to add users to a project, I'm doing oc edit rolebindings fedora-coreos-admins. Is that synced out of the cluster into that repo?
uh-oh, the idea is that you ask us do those.. I was thinking you won't have access to that (cc: @dkirwan for when you are back) clearily this needs a fix. Either clear communication and stopping access or having different way of doing this Thanks for bringing this to attention :)
Metadata Update from @arrfab: - Issue tagged with: centos-ci-infra, feature-request, need-more-info
I think for the moment until we get the cluster hooked into the ACO/FAS replacement, the procedure to add "admins" to your project should be to open a ticket and provide their emails associated with their ACO accounts.
Metadata Update from @dkirwan: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Can we leave this ticket open to track $subject? Or do we already have another ticket for that?
@jlebon good point, lets reopen this ticket to track the request.
Metadata Update from @dkirwan: - Issue status updated to: Open (was: Closed)
Metadata Update from @dkirwan: - Issue untagged with: need-more-info - Issue priority set to: Waiting on Assignee (was: Waiting on Reporter) - Issue tagged with: dev, high-gain, high-trouble
Metadata Update from @arrfab: - Issue tagged with: authentication
bug triaging : so , can we come with some simple PoC around this ? At first sight, there is nothing that let openshift directly do that (it usually does that through ldap it seems) but maybe a simple script that would automatically parse groups from FreeIPA and so would reflect new/removed members of a group for a project would automatically accomplish this ?
bug triaging
No feedback on this for some months, so closing for now
Metadata Update from @arrfab: - Issue close_status updated to: Insufficient Data - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.