Bug 1311878

Summary: Ansible installer for GCE needs to allow API access to all Google Cloud services
Product: OpenShift Container Platform Reporter: Liang Xia <lxia>
Component: InstallerAssignee: Scott Dodson <sdodson>
Status: CLOSED WONTFIX QA Contact: Liang Xia <lxia>
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: akostadi, aos-bugs, bleanhar, eparis, jhou, jokerman, lshulman, lxia, mmccomas
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-29 19:37:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Liang Xia 2016-02-25 09:20:35 UTC
Description of problem:
GCE project access should be enabled when launching GCE instances since API access is used a lot.
For example, if you write an application that reads and writes files on Google Cloud Storage, it must first authenticate to the Google Cloud Storage API.

Version-Release number of selected component (if applicable):
openshift v3.1.1.906
kubernetes v1.2.0-alpha.7-703-gbc4550d
etcd 2.2.5
ansible 1.9.4

How reproducible:
Always

Steps to Reproduce:
1.Launch GCE environment via openshift-ansible.
2.Check the instances' project permission on web console.

Actual results:
Permissions
Service accounts are not enabled for this instance. 

Expected results:
Permissions
This instance has full API access to all Google Cloud services. 
Or,
at least, we need the API access to the storage.

Additional info:

Comment 1 Brenton Leanhardt 2016-02-26 16:43:37 UTC
Hi Xia Liang,

Can you tell us what playbook you are running and how you a provisioning the openshift environment?

Comment 3 Liang Xia 2016-03-15 07:15:07 UTC
Alex fixed this in our SCALE-CI.

Comment 4 Aleksandar Kostadinov 2016-03-15 07:50:53 UTC
yeah, basically, when starting instance from console with the option "Allow API access to all Google Cloud services in the same project", the instance is actually launched with an additional option (YAML representation):

      service_accounts:
      - :email: "weird_numeric_service_account_id.com"
        :scopes:
        - https://www.googleapis.com/auth/cloud-platform

I think in REST API it is called serviceAccount, the above is from ruby client library.

When running without the option, the permissions are more limited:
        # - https://www.googleapis.com/auth/cloud.useraccounts.readonly
        # - https://www.googleapis.com/auth/devstorage.read_only
        # - https://www.googleapis.com/auth/logging.write
        # - https://www.googleapis.com/auth/monitoring.write
        # - https://www.googleapis.com/auth/servicecontrol
        # - https://www.googleapis.com/auth/service.management


In AOS ansible I think we can select exactly the permissions we need. i.e. `https://www.googleapis.com/auth/cloud-platform` looks too broad to me. I'd vote to only select the scopes OpenShift actually needs.

Thank to Liang Xia for obtaining the correct scopes.

Comment 5 Dan McPherson 2016-03-15 11:57:05 UTC
bin/cluster and any GCE specific playbooks are only community supported and not part of OSE.  At a min this bug should move to the origin product.  I am not sure from the above whether the current state is blocking anything or trying to improve the security setup of the install?

Comment 6 Aleksandar Kostadinov 2016-03-15 16:01:59 UTC
I couldn't understand the exact use case above. I only changed our scripts to launch instances on GCE. But if this use case involves creating instances from a playbook, then that playbook needs to specify the required option (because my change will not have any effect):

      service_accounts:
      - :email: default
        :scopes:
        - https://www.googleapis.com/auth/cloud-platform

Comment 7 Liang Xia 2016-03-16 02:03:51 UTC
I‘m OK with the current solution.

We need the option enabled when launching GCE instance to support some storage testing.

Comment 8 Jianwei Hou 2016-04-20 06:40:05 UTC
The reason we want the 'allow API access' option from installer is that, openshift/kubernetes needs the api access to provision GCE PDs. But ansible launched instances do not have the access. We think people deploying openshift on GCE would more prefer to use GCE PDs instead of other storages as their persistent volume.

Comment 9 Aleksandar Kostadinov 2016-04-20 12:12:29 UTC
Yes, that configuration cannot be added after instances are launched. So whatever is launching instances, it needs to set the above option. QE launcher already sets that.

I'd like to stres again though that ideallyt we should use a service account with proper permissions for the tasks OpenShift needs to perform. Not a good idea to grant full access if it only needs to create volumes.

Comment 11 Lev Shulman 2016-11-15 22:28:38 UTC
(In reply to Aleksandar Kostadinov from comment #9)
> Yes, that configuration cannot be added after instances are launched. So
> whatever is launching instances, it needs to set the above option. QE
> launcher already sets that.
> 
> I'd like to stres again though that ideallyt we should use a service account
> with proper permissions for the tasks OpenShift needs to perform. Not a good
> idea to grant full access if it only needs to create volumes.

Hi, was this addressed. I'm running into this issue right now with the GCE openshift-ansible installer. I can spin up an Openshift cluster just find, but all instances do not have Gcloud API access to connect to GCE persistent disks, and Gcloud doesn't allow changing those instance permissions once it is created.