Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ auth: use synthetic user/group when service account is not defined #1816

Draft
wants to merge 6 commits into
base: main
Choose a base branch
from
Draft

✨ auth: use synthetic user/group when service account is not defined #1816

wants to merge 6 commits into from
+212 −2

Conversation

joelanford
Copy link
Member

Description

Today at a meeting among maintainers of OLMv1, we discussed an idea that @thetechnick proposed awhile back. That is: stop using service accounts and service account tokens. Instead use synthetic names with impersonation.

While we are now 1.0.0 with support for service accounts, we can deprecate that feature and recommend attaching permissions to synthetic users/groups instead.

This PR demonstrates how we might do this. But with the API change, we should write up a detailed design and gain consensus.

This PR uses:

  • User: "olmv1:clusterextensions:<clusterExtensionName>:admin"
  • Groups: ["system:authenticated", "olmv1:clusterextensions:admin"]

But I'm not sure this is the best setup. There's more discussion to be had around what sythentic names/groups we could derive from a cluster extension.

Reviewer Checklist

  • API Go Documentation
  • Tests: Unit Tests (and E2E Tests, if appropriate)
  • Comprehensive Commit Messages
  • Links to related GitHub Issue(s)

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 26, 2025
@netlify Netlify
Copy link

netlify bot commented Feb 26, 2025
edited
Loading

Deploy Preview for olmv1 ready!

Name Link
🔨 Latest commit 542ca2d
🔍 Latest deploy log https://app.netlify.com/sites/olmv1/deploys/67c06ecfa373760007e6d7ea
😎 Deploy Preview https://deploy-preview-1816--olmv1.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@joelanford joelanford force-pushed the synthetic-permissions branch 3 times, most recently from dfc5ccb to fbcc4a5 Compare February 26, 2025 22:35
@codecov Codecov
Copy link

codecov bot commented Feb 26, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 80.55556% with 7 lines in your changes missing coverage. Please review.

Project coverage is 68.48%. Comparing base (df35dcd) to head (542ca2d).

Files with missing lines Patch % Lines
internal/operator-controller/action/restconfig.go 69.56% 6 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1816      +/-   ##
==========================================
+ Coverage   68.43%   68.48%   +0.05%     
==========================================
  Files          63       64       +1     
  Lines        5132     5166      +34     
==========================================
+ Hits         3512     3538      +26     
- Misses       1390     1397       +7     
- Partials      230      231       +1
Flag Coverage Δ
e2e 51.41% <38.88%> (-0.15%) ⬇️
unit 56.02% <55.55%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@joelanford joelanford force-pushed the synthetic-permissions branch 3 times, most recently from 11210fc to e44c4d2 Compare February 27, 2025 05:06
@thetechnick
Copy link
Contributor

I'd like to have a discussion on the olmv1 prefix vs just olm and the :admin suffix before this gets merged, but otherwise this looks pretty much how I'd wanted it to look. Thanks for the work!

@perdasilva perdasilva force-pushed the synthetic-permissions branch 2 times, most recently from 1c2f38f to 73e6080 Compare February 27, 2025 12:29
@joelanford
Copy link
Member Author

I'd like to have a discussion on the olmv1 prefix vs just olm and the :admin suffix before this gets merged, but otherwise this looks pretty much how I'd wanted it to look. Thanks for the work!

I put next to no critical thought into the name and group names. @thetechnick you propose the following?

  • User: olm:clusterextensions:<ceName>
  • Group:olm:clusterextensions (and still keep system:authenticated)

joelanford and others added 5 commits February 27, 2025 14:47
@joelanford
auth: use synthetic user/group when service account is not defined
bdce3e9 
Signed-off-by: Joe Lanford <[email protected]>
Revert API changes
fa464c3 
Signed-off-by: Per Goncalves da Silva <[email protected]>
Add featuregate
3513068 
Signed-off-by: Per Goncalves da Silva <[email protected]>
fix up
6e4b127 
Signed-off-by: Per Goncalves da Silva <[email protected]>
Add unit tests
fb13084 
Signed-off-by: Per Goncalves da Silva <[email protected]>
@perdasilva perdasilva force-pushed the synthetic-permissions branch from 73e6080 to fb13084 Compare February 27, 2025 13:51
Update syntheric user format
542ca2d 
Signed-off-by: Per Goncalves da Silva <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@joelanford @thetechnick