Bug 1249154 - Adding policy role to use to do push in registry.
Adding policy role to use to do push in registry.
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation (Show other bugs)
Unspecified Unspecified
low Severity low
: ---
: ---
Assigned To: Vikram Goyal
Vikram Goyal
Vikram Goyal
Depends On:
  Show dependency treegraph
Reported: 2015-07-31 12:14 EDT by Ryan Howe
Modified: 2017-12-28 07:08 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-12-28 07:08:26 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ryan Howe 2015-07-31 12:14:41 EDT
Document URL: https://docs.openshift.com/enterprise/3.0/admin_guide/install/docker_registry.html#securing-the-registry

Section Number and Name: Step 11 

Describe the issue: 

No where in the set up does it say that you must add a policy to the users. Unable to complete steps with out knowledge of this. 

Suggestions for improvement: 

[root@master]# oc policy add-role-to-user admin trey -n default
[root@master]# oc policy add-role-to-user admin trey -n openshift

Additional information: 
more explanation on why you much have these role for the users in both project in order to push images in the docker registry container.
Comment 2 David Eads 2015-08-13 09:37:36 EDT
"admin" on "default" and "openshift" is too wide a role for the permission you're trying to grant.  "system:image-builder" is more appropriate, but we still haven't fully baked whether we want to encourage binding users to system roles (liggitt on copy for an opinion).

Now about what you're trying to do overall.  I would not expect average users to be able to push images into "default" and "openshift".  Ordinarily, you'd have a user pushing images to the repository for his own project and admins and editors already have permissions to do that.  Are you looking to grant someone permission to push shared images?  If so, do you envision that being a manual or automated process?  Such distinctions are important for proper descriptions in the doc.
Comment 3 Jordan Liggitt 2015-08-13 09:57:20 EDT
Normal users shouldn't have admin/edit/view roles in the default or openshift projects, only in their own projects.

I'd tend to lean towards using the admin,edit,view roles for normal users, rather than roles like system:image-builder.

If you want to give a normal (non-cluster-admin) user permission to push images to the openshift namespace, but don't want to give them edit access in that namespace, that should probably be a red flag that you are doing something unusual.
Comment 5 Vikram Goyal 2017-12-28 07:08:26 EST
Based on David and Jordan's responses, I am going to close this bug as WONTFIX. Please reopen if more information can be provided.

Note You need to log in before you can comment on or make changes to this bug.