Bug 1311878 - Ansible installer for GCE needs to allow API access to all Google Cloud services
Ansible installer for GCE needs to allow API access to all Google Cloud services
Status: NEW
Product: OpenShift Origin
Classification: Red Hat
Component: Installer (Show other bugs)
3.x
Unspecified Unspecified
low Severity low
: ---
: 3.x
Assigned To: Scott Dodson
Liang Xia
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-25 04:20 EST by Liang Xia
Modified: 2017-03-16 16:04 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Liang Xia 2016-02-25 04:20:35 EST
Description of problem:
GCE project access should be enabled when launching GCE instances since API access is used a lot.
For example, if you write an application that reads and writes files on Google Cloud Storage, it must first authenticate to the Google Cloud Storage API.

Version-Release number of selected component (if applicable):
openshift v3.1.1.906
kubernetes v1.2.0-alpha.7-703-gbc4550d
etcd 2.2.5
ansible 1.9.4

How reproducible:
Always

Steps to Reproduce:
1.Launch GCE environment via openshift-ansible.
2.Check the instances' project permission on web console.

Actual results:
Permissions
Service accounts are not enabled for this instance. 

Expected results:
Permissions
This instance has full API access to all Google Cloud services. 
Or,
at least, we need the API access to the storage.

Additional info:
Comment 1 Brenton Leanhardt 2016-02-26 11:43:37 EST
Hi Xia Liang,

Can you tell us what playbook you are running and how you a provisioning the openshift environment?
Comment 3 Liang Xia 2016-03-15 03:15:07 EDT
Alex fixed this in our SCALE-CI.
Comment 4 Aleksandar Kostadinov 2016-03-15 03:50:53 EDT
yeah, basically, when starting instance from console with the option "Allow API access to all Google Cloud services in the same project", the instance is actually launched with an additional option (YAML representation):

      service_accounts:
      - :email: "weird_numeric_service_account_id@developer.gserviceaccount.com"
        :scopes:
        - https://www.googleapis.com/auth/cloud-platform

I think in REST API it is called serviceAccount, the above is from ruby client library.

When running without the option, the permissions are more limited:
        # - https://www.googleapis.com/auth/cloud.useraccounts.readonly
        # - https://www.googleapis.com/auth/devstorage.read_only
        # - https://www.googleapis.com/auth/logging.write
        # - https://www.googleapis.com/auth/monitoring.write
        # - https://www.googleapis.com/auth/servicecontrol
        # - https://www.googleapis.com/auth/service.management


In AOS ansible I think we can select exactly the permissions we need. i.e. `https://www.googleapis.com/auth/cloud-platform` looks too broad to me. I'd vote to only select the scopes OpenShift actually needs.

Thank to Liang Xia for obtaining the correct scopes.
Comment 5 Dan McPherson 2016-03-15 07:57:05 EDT
bin/cluster and any GCE specific playbooks are only community supported and not part of OSE.  At a min this bug should move to the origin product.  I am not sure from the above whether the current state is blocking anything or trying to improve the security setup of the install?
Comment 6 Aleksandar Kostadinov 2016-03-15 12:01:59 EDT
I couldn't understand the exact use case above. I only changed our scripts to launch instances on GCE. But if this use case involves creating instances from a playbook, then that playbook needs to specify the required option (because my change will not have any effect):

      service_accounts:
      - :email: default
        :scopes:
        - https://www.googleapis.com/auth/cloud-platform
Comment 7 Liang Xia 2016-03-15 22:03:51 EDT
Iā€˜m OK with the current solution.

We need the option enabled when launching GCE instance to support some storage testing.
Comment 8 Jianwei Hou 2016-04-20 02:40:05 EDT
The reason we want the 'allow API access' option from installer is that, openshift/kubernetes needs the api access to provision GCE PDs. But ansible launched instances do not have the access. We think people deploying openshift on GCE would more prefer to use GCE PDs instead of other storages as their persistent volume.
Comment 9 Aleksandar Kostadinov 2016-04-20 08:12:29 EDT
Yes, that configuration cannot be added after instances are launched. So whatever is launching instances, it needs to set the above option. QE launcher already sets that.

I'd like to stres again though that ideallyt we should use a service account with proper permissions for the tasks OpenShift needs to perform. Not a good idea to grant full access if it only needs to create volumes.
Comment 11 Lev Shulman 2016-11-15 17:28:38 EST
(In reply to Aleksandar Kostadinov from comment #9)
> Yes, that configuration cannot be added after instances are launched. So
> whatever is launching instances, it needs to set the above option. QE
> launcher already sets that.
> 
> I'd like to stres again though that ideallyt we should use a service account
> with proper permissions for the tasks OpenShift needs to perform. Not a good
> idea to grant full access if it only needs to create volumes.

Hi, was this addressed. I'm running into this issue right now with the GCE openshift-ansible installer. I can spin up an Openshift cluster just find, but all instances do not have Gcloud API access to connect to GCE persistent disks, and Gcloud doesn't allow changing those instance permissions once it is created.

Note You need to log in before you can comment on or make changes to this bug.