Hide Forgot
1. Proposed title of this feature request Separation of Service Accounts and Users for ClusterPolicy 3. What is the nature and description of the request? Customer wants to have a role within a namespace (like edit or admin) that has: - All the privileges of edit - The ability to create a service account - The ability to give that service account view/edit privileges - NOT the ability to modify local role privileges This does not appear possible currently due to the inability to have more granular access to the "add-role-to-user" command. A user with the admin role in a project can do both, a user with the edit role can do neither. 5. How would the customer like to achieve this? (List the functional requirements here) Essentially, they want the user be able to run: $ oc policy add-role-to-user view system:serviceaccount:top-secret:robot but NOT: $ oc policy add-role-to-user view realUser 7. Is there already an existing RFE upstream or in Red Hat bugzilla? not that I can tell
This intersects with the ability to control which subjects can be bound in a
Quoting David on the trello: I think that this is unreasonable because different permissions are different. If I grant Rebecca edit powers, when I later remove those powers from her, I do not have to inspect the audit trail to see if she granted herself the powers in some other way (different account maybe?). If I allow the edit role the power to bind a role (and that's what this is, grant powers to someone else), that role becomes admin. I would say that this use-case could probably be satisfied by using scoped user tokens. Create a scoped for your user that is scoped down view powers and give it away. If I remove user Rebecca, then her scoped tokens die too. --> Is this enough info for the customer? Does the scoped user tokens satisfy what they want?
Michal, I do not understand what "scoped user tokens" means. Is this a token (like an sa token) that a user could use to grant roles? Or is it a token that has a view role? or...? Is this a proposed feature change or a name for somethign we can already do?