[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[atomic-devel] Right management on Atomic Registry


I am currently testing Atomic Registry, to see if we could use it in a corporate setup. However, I have trouble wrapping my head around the right management system. I find some things confusing, maybe they are bugs or usability issues?

  1. rights on the openshift cluster and rights on the Atomic Registry applications are intertwined
  2. found no way to create new roles, or modify existing ones, to have fine-grained control on rights
  3. only role able to create groups is cluster-admin
  4. registry-admin role cannot list groups or users; how is it possible to create bindings that way?
  5. Discrepancy on permissible chars in naming between CLI and Web-UI (i.e. users with "." or "-" in names cannot be granted permissions in Web-UI)

I my setup, multiple teams are responsible for a different project in the registry, some clients will have access to one project. Also an Ops team is responsible for the registry so we don't want to give permissions too broad to the users of the registry.

I tried different scenarii:

  1. Everything is in the LDAP, so groups are managed in LDAP, issues:
    • assigning rights to pull/push on projects to different groups cannot be done, impossible to list groups or unless you have rights: cluster-viewer or cluster-admin -> rights way too broad
    • synchronization of groups can only be done via CLI, users of the registry must know of CLI usage, share the configuration files (including alias mapping!)
    • groups are only displayed in the Web-UI if a rolebinding is already in place for it, conflicts with the management of rolebindings in the Web-UI.
  2. Only authentication is in the LDAP, groups and bindings are managed in Registry Web-UI, issues:
    • groups cannot be created unless the user has the cluster-admin right -> rights WAY too broad

Did I miss a really important point that would make everything fit together? Should I open bug reports for the features I find missing?

Best regards,
Diego Abelenda

Attachment: signature.asc
Description: OpenPGP digital signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]