What controls the terminal pod access in Openshift Web Console? - kubernetes

Who has access to open pod terminals through the openshift web console? What permissions need to be given for this?

Any user that has edit or admin role in the project which the application is running in, can create a terminal session for pods running in that project.
oc adm policy add-role-to-user edit <collaborator>
The purpose of the different roles you can grant are:
admin - A project manager. The user will have rights to view any resource in the project and modify any resource in the project except for quota. A user with this role for a project will be able to delete the project.
edit - A user that can modify most objects in a project, but does not have the power to view or modify roles or bindings. A user with this role can create and delete applications in the project.
view - A user who cannot make any modifications, but can see most objects in a project.
A user with view role cannot create a terminal session as that would mean they could modify things.

Related

Custom Role in Azure DevOps to allow Add Users

Is it possible to provide a reduced set of permissions to allow a user permission to add other users to a project without being a full blown administrator? Adding a user as a Project Admin provides to more access which is a huge security issue.
You could add user as contributor or Project Valid Users with limited access. Please see Project-level groups
Contributors: Has permissions to contribute fully to the project code base and work item tracking. The main permissions they don't have are those that manage or administer resources.
Project Valid Users: Has permissions to access and view project information.
Besides, you could also create a custom group to grant or restrict permissions in project setting >> permission >> new group. Then, change permission for the group.

Unable to grant admin permissions Google IAM & Admin

Trying to create a Project in the Google cloud platform. However, I am unable to due to not having permission to create projects in this location.
I currently have no projected created. So when I try to add myself or another user to the Google IAM & Admin page, it will not allow me because it says I do not have any projects to select.
Is there another way to enable Organization Administrator and Project Creator for Google IAM?
In order to create a Project you should have the proper permissions, mentioned in Creating a project:
To create a project, you must have the ´resourcemanager.projects.create´ permission. This permission is included in the Project Creator ´roles/resourcemanager.projectCreator´ role, which is granted by default to the entire domain of a new organization and to free trial users. For information on how to grant individuals the role and limit organization-wide access, see the Managing Default Organization Roles page.
Given this, you should ask your Organization administrator to grant your user this Role.
You can create a project through the gCloud SDK:
To create a new project, use the gcloud projects create command:
gcloud projects create PROJECT_ID
Where ´PROJECT_ID´ is the ID for the project you want to create. A project ID must start with a lowercase letter, and can contain only ASCII letters, digits, and hyphens, and must be between 6 and 30 characters.
To create a project with an organization or a folder as parent, use the --organization or --folder flags. As a resource can only have one parent, only one of these flags can be used:
gcloud projects create PROJECT_ID --organization=ORGANIZATION_ID
gcloud projects create PROJECT_ID --folder=FOLDER_ID

Cloud composer: "PERMISSION_DENIED: The caller does not have permission"

I implemented a few tasks with BashOperator. Ones with "gsutil rm" and "gsutil cp" worked fine. But one with "gcloud alpha firestore export" generates this error:
{bash_operator.py:101} INFO - ERROR: (gcloud.alpha.firestore.export) PERMISSION_DENIED: The caller does not have permission
This command itself works fine in gcloud shell. I tried to give some Firestore related permissions to the service account used by the Composer but it still doesn't work. Any idea
It might be that you don't have permissions for a particular project.
The error I was getting was: PERMISSION_DENIED: Caller does not have required permission to use project project:random-id-11111.
The way I resolved it was by running gcloud config set project 'the-right-project-id' and then the actual gcloud command.
I think you need Cloud Datastore Import Export access. Following are the steps as per current Current Google Cloud platform layout.
https://console.cloud.google.com > Left drawer > IAM & admin > Against user - Edit Icon > Add another role > Data Store > Cloud Datastore Import & Export > Save
Try creating a new service account with the Firestore-related permissions needed and using that on a freshly created environment. https://cloud.google.com/composer/docs/how-to/access-control
Other debugging ideas: * Try ssh-ing into the Kubernetes workers on your Composer environment and running the command. *Is the Firestore API enabled on your project?
Open https://console.cloud.google.com/iam-admin/iam
Find the service account you're using for the backups
Add the Owner role to the service account
It's not really intuitive or logic because there are not permissions or roles for Firestore.
Unfortunately it took me way to long to figure it out. I hope it helps others!
Similar to Roy's answer, the issue for me was that gcloud was set to a different project.
check which project it is set to
gcloud config list
list which projects you have access to
gcloud projects list
set the correct project
gcloud config set project 'foo-project'
Grant firebase admin role to the default service account that your service is using.
Adding Owner role to the service account seems too much privilege for just taking backup.
In IAM & Admin make sure your #appspot.gserviceaccount.com must have access for 3 things:
Cloud Functions Admin
Cloud Datastore Import Export Admin
Storage Admin
you need to set your project first where you are owner
gcloud config set project project-id
You can find your project id by clicking on gcloud console it will be there in popup in project-name-somerandomnumbers
I got caught out on this today. The issue was that I had set up my service account correctly in the IAM settings, but hadn't realised an invitation had been sent to that email address which I needed to accept. Worked immediately once I accepted the invite.

Export role information from a keycloak instance

Is it possible to export the roles added to a keycloak server instance?
I have created some composite roles on a development server which I'd like to mirror across some other instances (e.g. in an integration\development) environment.
The only thing I can think of is using the Admin API to retrieve the details of the roles and use for some sort of insert script to be run in a different environment.
Is this possible?
Keycloak 3.2.0.Final and later has a "Export" menu item in its admin console. There you can export groups and roles (global and client roles) to a JSON file.

How to restrict users from creating new organization on Grafana

On a Grafana deployment if i create a user with the Editor role it can't perform administrative tasks but it can create a new organization and gain Administrative privileges on that organization. Is there a way to prevent roles from creating new Organizations?
Bellow you can see a snapshot of a user with the Editor role viewing the "New organization" action on the main menu on Grafana 3.1.0
There is a global switch (all users will be affected, but admin) in grafana's config file - allow_org_create, by default it's enabled.