|
Hello,
I am currently testing Atomic Registry, to see if we could use it
in a corporate setup. However, I have trouble wrapping my head
around the right management system. I find some things confusing,
maybe they are bugs or usability issues?
- rights on the openshift cluster and rights on the Atomic
Registry applications are intertwined
- found no way to create new roles, or modify existing ones, to
have fine-grained control on rights
- only role able to create groups is cluster-admin
- registry-admin role cannot list groups or users; how is it
possible to create bindings that way?
- Discrepancy on permissible chars in naming between CLI and
Web-UI (i.e. users with "." or "-" in names cannot be granted
permissions in Web-UI)
I my setup, multiple teams are responsible for a different
project in the registry, some clients will have access to one
project. Also an Ops team is responsible for the registry so we
don't want to give permissions too broad to the users of the
registry.
I tried different scenarii:
- Everything is in the LDAP, so groups are managed in LDAP,
issues:
- assigning rights to pull/push on projects to different
groups cannot be done, impossible to list groups or unless you
have rights: cluster-viewer or cluster-admin -> rights way
too broad
- synchronization of groups can only be done via CLI, users of
the registry must know of CLI usage, share the configuration
files (including alias mapping!)
- groups are only displayed in the Web-UI if a rolebinding is
already in place for it, conflicts with the management of
rolebindings in the Web-UI.
- Only authentication is in the LDAP, groups and bindings are
managed in Registry Web-UI, issues:
- groups cannot be created unless the user has the
cluster-admin right -> rights WAY too broad
Did I miss a really important point that would make everything
fit together? Should I open bug reports for the features I find
missing?
Best regards,
Diego Abelenda
|