Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1470861 - Ansible Service Broker: Change ServiceAccount to use 'admin' role
Ansible Service Broker: Change ServiceAccount to use 'admin' role
Status: CLOSED CURRENTRELEASE
Product: OpenShift Container Platform
Classification: Red Hat
Component: Service Broker (Show other bugs)
3.6.0
Unspecified Unspecified
unspecified Severity unspecified
: ---
: 3.7.0
Assigned To: Fabian von Feilitzsch
weiwei jiang
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-13 16:52 EDT by John Matthews
Modified: 2017-11-28 03:28 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-11-10 15:55:00 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3188 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update 2017-11-28 21:34:54 EST

  None (edit)
Description John Matthews 2017-07-13 16:52:08 EDT 
Description of problem:

Ansible Service Broker uses 2 service accounts.

Broker Service Account:
  We want this to be 'admin' + delta needed for basic operations (t.b.d.)

Dynamic Service Account to run each APB:
  We want this to be 'admin'
Comment 1 Jordan Liggitt 2017-07-18 10:37:04 EDT 
> Dynamic Service Account to run each APB

Where is these service accounts located? Are they in end-user-visible namespaces?
Comment 2 Erik Nelson 2017-07-18 11:15:42 EDT 
> Where is these service accounts located? Are they in end-user-visible namespaces?

They're created in the requested namespace where the APB is run and deploys to; I assume this would be considered end-user-visible?
Comment 3 Fabian von Feilitzsch 2017-07-18 14:17:49 EDT 
Installer side changes, adds admin permissions to broker: https://github.com/openshift/openshift-ansible/pull/4736
Comment 4 Erik Nelson 2017-07-18 14:29:45 EDT 
Drops APB permissions to admin:
https://github.com/openshift/ansible-service-broker/pull/285
Comment 6 weiwei jiang 2017-07-24 22:51:38 EDT 
Checked with: 
# openshift version 
openshift v3.6.169
kubernetes v1.6.1+5115d708d7
etcd 3.2.1

and
# asbd --version
0.9.9
and current serviceaccount asb is admin role on cluster level, and the sandbox serviceaccount is admin on project level.

# oc get clusterrolebindings |grep -i asb
admin                                                                 /admin                                                                                                                                                 openshift-infra/template-instance-controller, kube-service-catalog/default, openshift-ansible-service-broker/asb   

[root@host-8-175-118 ~]# oc get rolebindings -n wjiang 
NAME                                       ROLE                    USERS     GROUPS                          SERVICE ACCOUNTS                           SUBJECTS
admin                                      /admin                  wjiang                                                                               
apb-1251e701-d777-4f93-9bed-2e7f9fd29c8e   /admin                                                            apb-1251e701-d777-4f93-9bed-2e7f9fd29c8e   
system:deployers                           /system:deployer                                                  deployer                                   
system:image-builders                      /system:image-builder                                             builder                                    
system:image-pullers                       /system:image-puller              system:serviceaccounts:wjiang
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.