Uploaded image for project: 'Agent-based Installer for OpenShift'
  1. Agent-based Installer for OpenShift
  2. AGENT-931

Add Authorization to internal Components of Agent Installer

XMLWordPrintable

    • Add Authorization to internal Components of Agent Installer
    • BU Product Work
    • False
    • Hide

      None

      Show
      None
    • False
    • Green
    • In Progress
    • OCPSTRAT-1571 - Add Authorization to internal Components of Agent-Based Installer
    • OCPSTRAT-1571Add Authorization to internal Components of Agent-Based Installer
    • 44% To Do, 33% In Progress, 22% Done
    • Hide

      16 Oct 2024: Green

      2 PRs are up for review. First we need the swagger changes from assisted service to be merged and then implement the authz handler. The last PR to create 3 seperate tokens is already in code review. 

      Show
      16 Oct 2024: Green 2 PRs are up for review. First we need the swagger changes from assisted service to be merged and then implement the authz handler. The last PR to create 3 seperate tokens is already in code review. 
    • Installer (PB) Sprint 258, Installer (PB) Sprint 259, Installer Sprint 260, Installer Sprint 261

      Epic Goal

      • Implement authorization to secure API access for different user personas/actors in the agent-based installer.
      • User Personas:
        • Read-Only Access: For "wait-for" and "monitor-add-nodes" commands.
        • Read-Write Access: For systemd services and the agent service.

      Why is this important?

      • The agent-based installer APIs have implemented basic security measures through authentication, as covered in AGENT-145. To further enhance security, it is crucial to implement user persona/actor-based authorization, allowing for differentiated access control, such as read-only or read-write permissions, based on the user's role. This approach will provide a more robust and secure API framework, ensuring that users can only perform actions appropriate to their role. 

      Scenarios

      1. Users running the wait-for or monitor-add-nodes commands should have read-only permissions. They should not be able to write to the API. If they attempt to perform write operations, appropriate error messages could be displayed, indicating that they are not authorized to write.
      2. Users associated with running systemd services should have both read and write permissions.
      3. Users associated with running the agent service should also have read and write permissions.

      Acceptance Criteria

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.
      • ...

      Dependencies (internal and external)

      1. ...

      Previous Work (Optional):

      1.  

      Open questions::

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

            ppinjark@redhat.com pawan pinjarkar
            beth.white Beth White
            Biagio Manzari Biagio Manzari
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: