1311878 – Ansible installer for GCE needs to allow API access to all Google Cloud services

Bug 1311878 - Ansible installer for GCE needs to allow API access to all Google Cloud services

Summary: Ansible installer for GCE needs to allow API access to all Google Cloud services

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	---
Target Release:	---
Assignee:	Scott Dodson
QA Contact:	Liang Xia
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-02-25 09:20 UTC by Liang Xia
Modified:	2019-03-29 19:37 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-03-29 19:37:10 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Liang Xia 2016-02-25 09:20:35 UTC

Description of problem:
GCE project access should be enabled when launching GCE instances since API access is used a lot.
For example, if you write an application that reads and writes files on Google Cloud Storage, it must first authenticate to the Google Cloud Storage API.

Version-Release number of selected component (if applicable):
openshift v3.1.1.906
kubernetes v1.2.0-alpha.7-703-gbc4550d
etcd 2.2.5
ansible 1.9.4

How reproducible:
Always

Steps to Reproduce:
1.Launch GCE environment via openshift-ansible.
2.Check the instances' project permission on web console.

Actual results:
Permissions
Service accounts are not enabled for this instance. 

Expected results:
Permissions
This instance has full API access to all Google Cloud services. 
Or,
at least, we need the API access to the storage.

Additional info:

Comment 1 Brenton Leanhardt 2016-02-26 16:43:37 UTC

Hi Xia Liang,

Can you tell us what playbook you are running and how you a provisioning the openshift environment?

Comment 3 Liang Xia 2016-03-15 07:15:07 UTC

Alex fixed this in our SCALE-CI.

Comment 4 Aleksandar Kostadinov 2016-03-15 07:50:53 UTC

yeah, basically, when starting instance from console with the option "Allow API access to all Google Cloud services in the same project", the instance is actually launched with an additional option (YAML representation):

      service_accounts:
      - :email: "weird_numeric_service_account_id.com"
        :scopes:
        - https://www.googleapis.com/auth/cloud-platform

I think in REST API it is called serviceAccount, the above is from ruby client library.

When running without the option, the permissions are more limited:
        # - https://www.googleapis.com/auth/cloud.useraccounts.readonly
        # - https://www.googleapis.com/auth/devstorage.read_only
        # - https://www.googleapis.com/auth/logging.write
        # - https://www.googleapis.com/auth/monitoring.write
        # - https://www.googleapis.com/auth/servicecontrol
        # - https://www.googleapis.com/auth/service.management


In AOS ansible I think we can select exactly the permissions we need. i.e. `https://www.googleapis.com/auth/cloud-platform` looks too broad to me. I'd vote to only select the scopes OpenShift actually needs.

Thank to Liang Xia for obtaining the correct scopes.

Comment 5 Dan McPherson 2016-03-15 11:57:05 UTC

bin/cluster and any GCE specific playbooks are only community supported and not part of OSE.  At a min this bug should move to the origin product.  I am not sure from the above whether the current state is blocking anything or trying to improve the security setup of the install?

Comment 6 Aleksandar Kostadinov 2016-03-15 16:01:59 UTC

I couldn't understand the exact use case above. I only changed our scripts to launch instances on GCE. But if this use case involves creating instances from a playbook, then that playbook needs to specify the required option (because my change will not have any effect):

      service_accounts:
      - :email: default
        :scopes:
        - https://www.googleapis.com/auth/cloud-platform

Comment 7 Liang Xia 2016-03-16 02:03:51 UTC

I‘m OK with the current solution.

We need the option enabled when launching GCE instance to support some storage testing.

Comment 8 Jianwei Hou 2016-04-20 06:40:05 UTC

The reason we want the 'allow API access' option from installer is that, openshift/kubernetes needs the api access to provision GCE PDs. But ansible launched instances do not have the access. We think people deploying openshift on GCE would more prefer to use GCE PDs instead of other storages as their persistent volume.

Comment 9 Aleksandar Kostadinov 2016-04-20 12:12:29 UTC

Yes, that configuration cannot be added after instances are launched. So whatever is launching instances, it needs to set the above option. QE launcher already sets that.

I'd like to stres again though that ideallyt we should use a service account with proper permissions for the tasks OpenShift needs to perform. Not a good idea to grant full access if it only needs to create volumes.

Comment 11 Lev Shulman 2016-11-15 22:28:38 UTC

(In reply to Aleksandar Kostadinov from comment #9)
> Yes, that configuration cannot be added after instances are launched. So
> whatever is launching instances, it needs to set the above option. QE
> launcher already sets that.
> 
> I'd like to stres again though that ideallyt we should use a service account
> with proper permissions for the tasks OpenShift needs to perform. Not a good
> idea to grant full access if it only needs to create volumes.

Hi, was this addressed. I'm running into this issue right now with the GCE openshift-ansible installer. I can spin up an Openshift cluster just find, but all instances do not have Gcloud API access to connect to GCE persistent disks, and Gcloud doesn't allow changing those instance permissions once it is created.

Note You need to log in before you can comment on or make changes to this bug.