Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Advanced authorization #2668

Merged
merged 8 commits into from
Dec 5, 2023
Merged

feat: Advanced authorization #2668

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
34d0377
feat: Advanced authorization
tolusha Dec 1, 2023
f2968ad
Update modules/administration-guide/pages/configuring-advanced-author…
tolusha Dec 1, 2023
a265611
Update modules/administration-guide/pages/configuring-advanced-author…
tolusha Dec 1, 2023
86353f8
Update modules/administration-guide/pages/configuring-advanced-author…
tolusha Dec 1, 2023
4c036b6
Update modules/administration-guide/pages/configuring-advanced-author…
tolusha Dec 1, 2023
9eba57a
Update modules/administration-guide/pages/configuring-advanced-author…
tolusha Dec 1, 2023
223c1b2
Update modules/administration-guide/pages/configuring-advanced-author…
tolusha Dec 1, 2023
33bb9c3
file edited
deerskindoll Dec 4, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions modules/administration-guide/nav.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@
**** xref:configuring-oauth-1-for-a-bitbucket-server.adoc[]
**** xref:configuring-oauth-2-for-microsoft-azure-devops-services.adoc[]
*** xref:configuring-cluster-roles-for-users.adoc[]
*** xref:configuring-advanced-authorization.adoc[]
*** xref:removing-user-data-in-compliance-with-the-gdpr.adoc[]
* xref:managing-ide-extensions.adoc[]
** xref:extensions-for-microsoft-visual-studio-code-open-source.adoc[]
Expand Down
49 changes: 49 additions & 0 deletions modules/administration-guide/pages/configuring-advanced-authorization.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
:_content-type: PROCEDURE
:description: Configuring advanced authorization
:keywords: authorization, user, group
:navtitle: Configuring advanced authorization
// :page-aliases:

[id="configuring-advanced-authorization"]
= Configuring advanced authorization

You can determine which users and groups are allowed to access {prod-short}.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tolusha Should we clarify that this is an OpenShift feature, or this would work on vanilla k8s as well?


.Prerequisites

* An active `{orch-cli}` session with administrative permissions to the destination {orch-name} cluster. See {orch-cli-link}.

.Procedure

. Configure the `CheCluster` Custom Resource. See xref:using-the-cli-to-configure-the-checluster-custom-resource.adoc[].
+
[source,yaml,subs="+quotes,+attributes"]
----
spec:
networking:
auth:
advancedAuthorization:
allowUsers:
- __<allow_users>__ <1>
allowGroups:
- __<allow_groups>__ <2>
denyUsers:
- __<deny_users>__ <3>
denyGroups:
- __<deny_groups>__ <4>
----
<1> List of users allowed to access {prod}.
<2> List of groups of users allowed to access {prod} (for {ocp} only).
<3> List of users denied access to {prod}.
<4> List of groups of users denied to access {prod} (for {ocp} only).
+
Comment on lines +35 to +39
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, looks liks on k8s one can only use allowUsers / denyUsers, whereas allowGroups / denyGroups is OpenShift specific.

To allow a user to access {prod-short}, add him to the `allowUsers` list or a group where he is member of to `allowGroups` list.

Check warning on line 40 in modules/administration-guide/pages/configuring-advanced-authorization.adoc

View workflow job for this annotation

GitHub Actions / vale

[vale] modules/administration-guide/pages/configuring-advanced-authorization.adoc#L40 

[RedHat.TermsWarnings] Consider using 'you' rather than 'he' unless updating existing content that uses the term.
Raw output 
{"message": "[RedHat.TermsWarnings] Consider using 'you' rather than 'he' unless updating existing content that uses the term.", "location": {"path": "modules/administration-guide/pages/configuring-advanced-authorization.adoc", "range": {"start": {"line": 40, "column": 72}}}, "severity": "WARNING"}
tolusha marked this conversation as resolved.
Show resolved Hide resolved
To deny a user to access {prod-short}, add him to the `denyUsers` list or a group where he is member of to `denyGroups` list.
tolusha marked this conversation as resolved.
Show resolved Hide resolved
If user is in both `allow` and `deny` lists, then he is denied access to {prod-short}.
tolusha marked this conversation as resolved.
Show resolved Hide resolved
+
If `allowUsers` and `allowGroups` are empty, then all users are allowed to access {prod-short} except ones from `deny` lists.
tolusha marked this conversation as resolved.
Show resolved Hide resolved
if `denyUsers` and `denyGroups` are empty, then only users from `allow` lists are allowed to access {prod-short}.
tolusha marked this conversation as resolved.
Show resolved Hide resolved
+
If `allow` and `deny` lists are empty, then all users are allowed to access {prod-short}.
tolusha marked this conversation as resolved.
Show resolved Hide resolved

. Wait for the rollout of the {prod-short} server components to be completed.
Loading