Bug 1374354

Summary: explicit required permissions for the OSE provider user
Product: Red Hat CloudForms Management Engine Reporter: Colin Arnott <carnott>
Component: DocumentationAssignee: Red Hat CloudForms Documentation <cloudforms-docs>
Status: CLOSED WONTFIX QA Contact: Red Hat CloudForms Documentation <cloudforms-docs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 5.6.0CC: adahms, benglish, fsimonce, hhudgeon, jhardy, mfeifer, obarenbo
Target Milestone: GA   
Target Release: 5.7.0   
Hardware: x86_64   
OS: Linux   
Whiteboard: doc
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-04 04:40:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Colin Arnott 2016-09-08 13:31:35 UTC 
Document URL: 
https://access.redhat.com/documentation/en/red-hat-cloudforms/4.1/managing-providers/#obtaining_a_management_token_in_openshift_enterprise_3_2

Section Number and Name: 
5.1.1. Obtaining a Management Token in OpenShift Enterprise 3.2

Describe the issue: 
The OSE provider currently requires the use of the management-admin account, my security standards prevent me from giving cart blanch access to my OSE environment. Can you please enumerate the permissions required by CFME so that I can use least privilege when creating the CFME user for my OSE environment.

Suggestions for improvement: 
Add a section indicating required permissions for the OSE provider.

Additional information:
Comment 2 Federico Simoncelli 2016-09-20 16:19:59 UTC 
(In reply to Colin Arnott from comment #0)
> Document URL: 
> https://access.redhat.com/documentation/en/red-hat-cloudforms/4.1/managing-
> providers/#obtaining_a_management_token_in_openshift_enterprise_3_2
> 
> Section Number and Name: 
> 5.1.1. Obtaining a Management Token in OpenShift Enterprise 3.2
> 
> Describe the issue: 
> The OSE provider currently requires the use of the management-admin account,
> my security standards prevent me from giving cart blanch access to my OSE
> environment. Can you please enumerate the permissions required by CFME so
> that I can use least privilege when creating the CFME user for my OSE
> environment.

The account management-admin is not a carte blanche account, it is already given the least privilege needed in order to have CFME working (read entities, not write, do smart-state analysis, etc).

All the permissions have been validated by both the OpenShift team (making sure we're not exposing threats) and by the openshift-ansible team.

Listing the requirements in the documentation will never keep up with the addition of new privileges (when really strictly needed by any new feature in CFME).
Comment 4 Andrew Dahms 2018-04-04 04:40:57 UTC 
Thank you for raising this bug.

After further discussion with the program team, we have been given the advice not to document specific permissions for service accounts at this time based on the following article -

http://cloudformsblog.redhat.com/2017/08/16/security-management-operations/

As such, I will be closing this bug for now, but we can re-investigate this request again in the future if required.