Bug 1385295

Summary: [DOCS] Needed permissions for accessing Google API not documented
Product: OpenShift Container Platform Reporter: raffaele spazzoli <rspazzol>
Component: DocumentationAssignee: Ashley Hardin <ahardin>
Status: CLOSED DEFERRED QA Contact: Jianwei Hou <jhou>
Severity: medium Docs Contact: Vikram Goyal <vigoyal>
Priority: medium    
Version: 3.3.0CC: ahardin, aos-bugs, dmcphers, jokerman, mmccomas, scollier, screeley
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-01 21:04:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description raffaele spazzoli 2016-10-16 00:49:21 UTC 
Document URL: 

https://docs.openshift.com/container-platform/3.3/install_config/configuring_gce.html

https://docs.openshift.com/container-platform/3.3/install_config/persistent_storage/persistent_storage_gce.html

https://docs.openshift.com/container-platform/3.3/install_config/registry/extended_registry_configuration.html#docker-registry-configuration-reference-reporting

Section Number and Name: 

Describe the issue: 

The documentation explains the configurations to be done to activate various integrations with the underlying cloud provider, such as:
1. load balancing
2. dynamically provisioned storage
3. object storage for the registry

The documentation explains to a certain extent what to do to authenticate with the underlying cloud provider APIs. for google cloud this is nothing because all the instances are automatically authenticated with service accounts.

The documentation does not explain what permission those service accounts should have in order for the various operations to succeed.

based on my experience (https://github.com/raffaelespazzoli/openshift-enablement-exam) the following is needed (in google cloud permission are give in the form of oath scopes):
"https://www.googleapis.com/auth/compute" : to work with forwarding rules and attached storage
"https://www.googleapis.com/auth/devstorage.read_write" : to work with object storage.

I haven;t finished my experiments, there may be others that are needed.

I'm working on google cloud, but the same concept may apply to other cloud providers.


Suggestions for improvement: 

add the information to correctly configure permissions. suggest to use the minimal permission that allow to complete the job. for example "https://www.googleapis.com/auth/compute" is a sort of root access, there may be a better, more fine tuned scope.

Additional information:
Comment 1 Ashley Hardin 2016-11-03 19:14:57 UTC 
Docs PR:
https://github.com/openshift/openshift-docs/pull/3018
Comment 4 Ashley Hardin 2016-11-14 21:07:13 UTC 
Scott, Can you please offer guidance on what is needed here, or point me in the right direction? Thanks!
Comment 5 Ashley Hardin 2016-11-18 20:48:15 UTC 
@screeley Looks like you helped with this content in the past. Can you offer any guidance? Thanks!
Comment 6 Scott Creeley 2016-11-18 20:58:17 UTC 
Ashley,
I'll take a look first thing on Monday and add any info to this BZ, thanks Scott
Comment 7 Ashley Hardin 2016-11-18 21:49:37 UTC 
Thanks so much, Scott!
Comment 8 Scott Creeley 2016-11-21 15:16:13 UTC 
Ashley,

If I look at our RH devel project on GCE, it looks like there are 4 api's enabled by default.

stackdriver logging api
google compute engine api
google cloud storage api
google cloud storage json api

I think Dan McPherson would be the best person to ask as I think he manages the openshift-gce-devel project and would probably have more insight on what he enables for that project to work.

Also, when I manually create a new instance I always select "Allow full access to all cloud apis"
Comment 9 Ashley Hardin 2016-12-01 19:22:59 UTC 
Thanks, Scott!

@Dan- Can you please confirm what should be enabled?
Comment 12 Vikram Goyal 2016-12-01 21:04:13 UTC 
After consulting with the development team, it looks like work on this needs to be deferred till the devs have had time to work on it.

I am closing this bug marked as deferred.