| Summary: | [RFE] provide functions to see who is the dedicated-cluster-admin by dedicated users | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Kenjiro Nakayama <knakayam> |
| Component: | apiserver-auth | Assignee: | Jordan Liggitt <jliggitt> |
| Status: | CLOSED NOTABUG | QA Contact: | weiwei jiang <wjiang> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | unspecified | CC: | aos-bugs, knakayam, pweil, wsun |
| Target Milestone: | --- | Keywords: | UpcomingRelease |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-08-22 06:42:56 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Kenjiro Nakayama
2016-08-19 08:57:59 UTC
What is the use case? Is a non admin user trying to find the dedicated cluster admin so they can contact them? Or are they trying to find out if they have the dedicated cluster admin role themselves? > Or are they trying to find out if they have the dedicated cluster admin role themselves?
The latter one. They are trying to find out if they have the dedicated cluster admin role themselves.
When the users asked us to add dedicated-cluster-admin and operation team added it, they often asked "how to confirm it?". Also, sometimes they don't remember if an user have the admin role or not.
if the user tries to list rolebindings and is rejected, then they don't have the dedicated-cluster-admin role ops can already list rolebindings what level of user is wanting access to this information? a user who is an editor or viewer in a project? > if the user tries to list rolebindings and is rejected, then they don't have the dedicated-cluster-admin role You mean "oc get rolebinding -n <USER's PROJECT>" or "oc get rolebinding -n default"? I think "oc get rolebinding -n <USER's PROJECT>" could work any users without cluster-admin role, so you meant -n default? > what level of user is wanting access to this information? a user who is an editor or viewer in a project? Both. I don't think there is any harm if any user could see who has the admin role. > You mean "oc get rolebinding -n <USER's PROJECT>" or "oc get rolebinding -n default"? I think "oc get rolebinding -n <USER's PROJECT>" could work any users without cluster-admin role, so you meant -n default? I think we're talking past each other :) If a user has the admin or dedicated-cluster-admin role in a namespace, they can already view role assignments using `oc get rolebinding -n <project>` > I don't think there is any harm if any user could see who has the admin role. We don't expose role assignments to edit and view users by default. > If a user has the admin or dedicated-cluster-admin role in a namespace, they can already view role assignments using `oc get rolebinding -n <project>`
Oh.. When I asked operation team, they answered that the users have to check it with creating new project from other users and check bra bra bra...
And they didn't say "oc get rolebinding" work with customers at all.
Thank you. If the users can see it by themselvs via `oc get rolebinding -n <project>`, this RFE is not necessasry.
|