Today, via Microsoft, SRE access to ARO clusters is governed by a system called Lockbox, that provides a customer approval system for any actions by SRE on customer clusters. Many customers expect this kind of approval-first approach for when it is necessary that SRE takes action on a customer cluster.  To meet customer expectations with ROSA, we plan to implement a similar system in Red Hat for the ROSA fleet (ROSA Classic and ROSA HCP). 

PM: Jim Zimmerman
Q2 Estimations Coordinator: Amador Pahim Segundo

UI specific callouts from parent epic:

• An authorized user can view a list of lockbox requests through
  • ROSA cli
  • OCM UI
• If the customer has configured email notifications then the email notification will link into the OCM UI
  • UI url to approve lockbox request
• ROSA CLI and OCM UI will allow the customer to
  • List all lockbox requests (short list)
  • Get details of a lockbox request (more detail)
  • Approve or reject lockbox request
    • Note once approved a request cannot be denied. Likewise a denied request cannot be approved - a new request has to be made.
• It is necessary that this approval workflow is not exclusive to the UI. In other words, it would need to work via the ROSA CLI, Terraform, API calls, etc.

Notes from meeting with backend team (rblake@redhat.com +):

• Draft API should be available next week (4/29)
• Hoping 'live' API in a couple of weeks
• Initial UI task is to handle an 'approve/deny lockbox request' url link in SRE generated email to customer
  • Customer clicks on 'approve/deny lockbox request' url link email
  • OCM UI is launched and lands on a 'Lockbox Approval' page
    • UI checks to see that logged in user is Org Admin, Cluster Owner, or new role "Access Request Approver"
      • AccessTransparencyApprover has been created
      • Either Cluster Owner and AccessTransparencyApprover role can approve/deny requests
    • UI calls API for cluster to get lockbox status.
      • If not processed yet, shows page with [Yes] button and [No] button w/ Justification why denied reason.
        • After click yes/no button, POST API request and show same message as next bullet:
      • If processed, shows message indicating lockbox has already been processed/approved/denied w/ reason? 
• Other UI tasks
  • Listing of all lockbox (or RH proposed term: "Access Transparency") requests per cluster
  • Listing of all lockbox requests per org? (api supports this)
  • Click on lockbox in List to drill down into Lockbox Details page
  • If not processed, show yes no buttons ?
  • If processed, shows lockbox status...any other lockbox properties to show on the details page?

Implementation Details

• New route for email url
• New Approval form
• New API wiring

Draft: OCM Approval API 

UX Contact:  juhale@redhat.com.  OCMUX-78 is in 'consulting support' mode so I imagine ui dev will need to make rudimentary mockups if required.