Uploaded image for project: 'Hybrid Cloud Console'
  1. Hybrid Cloud Console
  2. RHCLOUD-30986

[RBAC] Allow RBAC permissions management via service account

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False
    • Hide
      • A service account which has been added to a RBAC User Group containing the "User Access Administrator" role is able to perform any actions against the RBAC API that a principal user with the same level of access can perform.
      • Said service account can then performa any RBAC operation, including:
        • Create a group
        • Edit a group
        • Delete a group
        • Create a role
        • Edit a role
        • Delete a role
        • Add a user to a group
        • Remove a user to a group
      Show
      A service account which has been added to a RBAC User Group containing the "User Access Administrator" role is able to perform any actions against the RBAC API that a principal user with the same level of access can perform. Said service account can then performa any RBAC operation, including: Create a group Edit a group Delete a group Create a role Edit a role Delete a role Add a user to a group Remove a user to a group
    • Unset
    • CRCPLAN-185 - RBAC | Support Service Account Auth in Console RBAC
    • No
    • Access & Management Sprint 83, Access & Management Sprint 84, Access & Management Sprint 85, Access & Management Sprint 86

      I've noticed that I'm not able to manage RBAC (for example add user to a group) through my service account even if the service account has the "User Access administrator" role:

       $ curl -sSH "Authorization:Bearer ${access_token}"     "https://console.redhat.com/api/rbac/v1/access/?application=rbac" | jq{
  "meta": {
    "count": 2,
    "limit": 2,
    "offset": 0
  },
  "links": {
    "first": "/api/rbac/v1/access/?application=rbac&limit=2&offset=0",
    "next": null,
    "previous": null,
    "last": "/api/rbac/v1/access/?application=rbac&limit=2&offset=0"
  },
  "data": [
    {
      "resourceDefinitions": [],
      "permission": "rbac:principal:read"
    },
    {
      "resourceDefinitions": [],
      "permission": "rbac:*:*"
    }
  ]
}


$ curl -X "POST" -sSH "Authorization:Bearer ${access_token}" -H 'accept: application/json' -H 'Content-Type: application/json' -d '{
  "principals": [
    {
      "clientID": "ff9e3515-08e8-4a26-bb64-dd356a7b8207",
      "type": "service-account"
    }
  ]
}' 'https://console.redhat.com/api/rbac/v1/groups/aab022d1-093d-47cb-a1c0-26aad06e305f/principals/'

{"errors":[{"detail":"Non-admin users may not add principals to Groups with RBAC permissions.","source":"add_principals","status":"400"}]}

      chambrid : "Worth revisiting the use case with PM. I can see customers wanting to build tooling to add/remove users from different groups depending upon organizational changes. I had planned to do something similar with the service account to allow AppSRE to control tenant access to different functionality."

      Related slack thread: https://redhat-internal.slack.com/archives/C0233N2MBU6/p1707818851033319

            pcihalov@redhat.com Petra Cihalova
            fstavela@redhat.com Frantisek Stavela
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: