1374354 – explicit required permissions for the OSE provider user

Bug 1374354 - explicit required permissions for the OSE provider user

Summary: explicit required permissions for the OSE provider user

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat CloudForms Management Engine
Classification:	Red Hat
Component:	Documentation
Sub Component:
Version:	5.6.0
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	GA
Target Release:	5.7.0
Assignee:	Red Hat CloudForms Documentation
QA Contact:	Red Hat CloudForms Documentation
Docs Contact:
URL:
Whiteboard:	doc
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-09-08 13:31 UTC by Colin Arnott
Modified:	2018-04-04 04:40 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-04 04:40:57 UTC
Category:	---
Cloudforms Team:	---
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Colin Arnott 2016-09-08 13:31:35 UTC

Document URL: 
https://access.redhat.com/documentation/en/red-hat-cloudforms/4.1/managing-providers/#obtaining_a_management_token_in_openshift_enterprise_3_2

Section Number and Name: 
5.1.1. Obtaining a Management Token in OpenShift Enterprise 3.2

Describe the issue: 
The OSE provider currently requires the use of the management-admin account, my security standards prevent me from giving cart blanch access to my OSE environment. Can you please enumerate the permissions required by CFME so that I can use least privilege when creating the CFME user for my OSE environment.

Suggestions for improvement: 
Add a section indicating required permissions for the OSE provider.

Additional information:

Comment 2 Federico Simoncelli 2016-09-20 16:19:59 UTC

(In reply to Colin Arnott from comment #0)
> Document URL: 
> https://access.redhat.com/documentation/en/red-hat-cloudforms/4.1/managing-
> providers/#obtaining_a_management_token_in_openshift_enterprise_3_2
> 
> Section Number and Name: 
> 5.1.1. Obtaining a Management Token in OpenShift Enterprise 3.2
> 
> Describe the issue: 
> The OSE provider currently requires the use of the management-admin account,
> my security standards prevent me from giving cart blanch access to my OSE
> environment. Can you please enumerate the permissions required by CFME so
> that I can use least privilege when creating the CFME user for my OSE
> environment.

The account management-admin is not a carte blanche account, it is already given the least privilege needed in order to have CFME working (read entities, not write, do smart-state analysis, etc).

All the permissions have been validated by both the OpenShift team (making sure we're not exposing threats) and by the openshift-ansible team.

Listing the requirements in the documentation will never keep up with the addition of new privileges (when really strictly needed by any new feature in CFME).

Comment 4 Andrew Dahms 2018-04-04 04:40:57 UTC

Thank you for raising this bug.

After further discussion with the program team, we have been given the advice not to document specific permissions for service accounts at this time based on the following article -

http://cloudformsblog.redhat.com/2017/08/16/security-management-operations/

As such, I will be closing this bug for now, but we can re-investigate this request again in the future if required.

Note You need to log in before you can comment on or make changes to this bug.