add what-can-i-do endpoint

[deads2k]

Let's argue about names. This as a REST endpoint and a command (oc policy can-i --list) that gives back a list of all the policy rules that a given user has in namespace. I need a good name for the resource and kind.

I want one endpoint for determining it about yourself (with scopes properly applied) and one for determining it about someone else. Having two endpoints makes it easier to write policy rules without introspection.

Things that are missing:

• the "someone else" endpoint - willl make issue.
• normalization of the rules to neatly bundle by resource tuples, collapsing for identical verbs and names - turns out our rules don't look too bad as-is.
• tests
• respect for scopes (scopes haven't merged yet) - can't reasonably do without scopes having merged

@jwforres @spadgett you both asked for this. I don't intend to associate the list in any particular way.
@openshift/api-review PertinentPermissions and PersonalPertinentPermissions?

[smarterclayton]

The call returns policy rules. So PolicyRulesReview or SubjectRulesReview
is at least consistent with our existing resources.

On Thu, Apr 28, 2016 at 4:40 PM, David Eads [email protected]
wrote:

Let's argue about names. This as a REST endpoint and a command (oc policy
what-can-i-do) that gives back a list of all the policy rules that a
given user has in namespace. I need a good name for the resource and kind.

I want one endpoint for determining it about yourself (with scopes
properly applied) and one for determining it about someone else. Having two
endpoints makes it easier to write policy rules without introspection.

Things that are missing:

• the "someone else" endpoint
• normalization of the rules to neatly bundle by resource tuples,
  collapsing for identical verbs and names
• tests
• respect for scopes (scopes haven't merged yet)

@jwforres https://github.com/jwforres @spadgett
https://github.com/spadgett you both asked for this. I don't intend to
associate the list in any particular way.
@openshift/api-review https://github.com/orgs/openshift/teams/api-review

PertinentPermissions and PersonalPertinentPermissions?

You can view, comment on, or merge this pull request online at:

#8675
Commit Summary

• add what-can-i-do endpoint

File Changes

• M pkg/authorization/api/register.go
  https://github.com/openshift/origin/pull/8675/files#diff-0 (2)
• M pkg/authorization/api/types.go
  https://github.com/openshift/origin/pull/8675/files#diff-1 (11)
• M pkg/authorization/api/v1/register.go
  https://github.com/openshift/origin/pull/8675/files#diff-2 (2)
• M pkg/authorization/api/v1/types.go
  https://github.com/openshift/origin/pull/8675/files#diff-3 (11)
• M pkg/authorization/api/v1beta3/register.go
  https://github.com/openshift/origin/pull/8675/files#diff-4 (2)
• M pkg/authorization/api/v1beta3/types.go
  https://github.com/openshift/origin/pull/8675/files#diff-5 (11)
• A pkg/authorization/registry/whatcanido/storage.go
  https://github.com/openshift/origin/pull/8675/files#diff-6 (39)
• M pkg/authorization/rulevalidation/policy_comparator.go
  https://github.com/openshift/origin/pull/8675/files#diff-7 (14)
• M pkg/client/client.go
  https://github.com/openshift/origin/pull/8675/files#diff-8 (5)
• A pkg/client/whatcanido.go
  https://github.com/openshift/origin/pull/8675/files#diff-9 (32)
• A pkg/cmd/admin/policy/whatcanido.go
  https://github.com/openshift/origin/pull/8675/files#diff-10 (74)
• M pkg/cmd/cli/policy/policy.go
  https://github.com/openshift/origin/pull/8675/files#diff-11 (1)
• M pkg/cmd/server/bootstrappolicy/policy.go
  https://github.com/openshift/origin/pull/8675/files#diff-12 (1)
• M pkg/cmd/server/origin/master.go
  https://github.com/openshift/origin/pull/8675/files#diff-13 (4)
• M pkg/cmd/server/origin/master_config.go
  https://github.com/openshift/origin/pull/8675/files#diff-14 (19)

Patch Links:

• https://github.com/openshift/origin/pull/8675.patch
• https://github.com/openshift/origin/pull/8675.diff

—
You are receiving this because you are on a team that was mentioned.
Reply to this email directly or view it on GitHub
#8675

[deads2k]

The call returns policy rules. So PolicyRulesReview or SubjectRulesReview
is at least consistent with our existing resources.

SubjectRulesReview and SelfSubjectRulesReview? That would match SubjectAccessReview and SelfSubjectAccessReview upstream.

[smarterclayton]

Yeah those make sense.

On Thu, Apr 28, 2016 at 5:13 PM, David Eads [email protected]
wrote:

The call returns policy rules. So PolicyRulesReview or SubjectRulesReview
is at least consistent with our existing resources.

SubjectRulesReview and SelfSubjectRulesReview? That would match
SubjectAccessReview and SelfSubjectAccessReview upstream.

—
You are receiving this because you are on a team that was mentioned.
Reply to this email directly or view it on GitHub
#8675 (comment)

[deads2k]

@smarterclayton updated to SelfSubjectRulesReview.

@pweil- got a reviewer in mind?

[deads2k]

@sgallagher you're interested in RESTStorage, clients, and cli commands, right? :)

[deads2k]

[test]

[pweil-]

got a reviewer in mind

@sgallagher loves this kind of stuff 😄

@sdminonne if you have some time since this is probably similar to the SCC checks you're looking at.

[openshift-bot]

Evaluated for origin test up to 257ecaa

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/3521/)

[deads2k]

Request:

{"kind":"SelfSubjectRulesReview","apiVersion":"v1","status":{"rules":null}}

Response

{
    "kind": "SelfSubjectRulesReview",
    "apiVersion": "v1",
    "status": {
        "rules": [{
            "verbs": ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"],
            "attributeRestrictions": null,
            "apiGroups": [""],
            "resources": ["configmaps", "endpoints", "persistentvolumeclaims", "pods", "pods/attach", "pods/exec", "pods/log", "pods/portforward", "pods/proxy", "replicationcontrollers", "replicationcontrollers/scale", "secrets", "serviceaccounts", "services", "services/proxy"]
        }, {
            "verbs": ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"],
            "attributeRestrictions": null,
            "apiGroups": [""],
            "resources": ["buildconfigs", "buildconfigs/instantiate", "buildconfigs/instantiatebinary", "buildconfigs/webhooks", "buildlogs", "builds", "builds/clone", "builds/log", "deploymentconfigrollbacks", "deploymentconfigs", "deploymentconfigs/log", "deploymentconfigs/scale", "deployments", "generatedeploymentconfigs", "imagestreamimages", "imagestreamimports", "imagestreammappings", "imagestreams", "imagestreams/secrets", "imagestreamtags", "localresourceaccessreviews", "localsubjectaccessreviews", "processedtemplates", "projects", "resourceaccessreviews", "rolebindings", "roles", "routes", "subjectaccessreviews", "templateconfigs", "templates"]
        }, {
            "verbs": ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"],
            "attributeRestrictions": null,
            "apiGroups": ["autoscaling"],
            "resources": ["horizontalpodautoscalers"]
        }, {
            "verbs": ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"],
            "attributeRestrictions": null,
            "apiGroups": ["batch"],
            "resources": ["jobs"]
        }, {
            "verbs": ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"],
            "attributeRestrictions": null,
            "apiGroups": ["extensions"],
            "resources": ["horizontalpodautoscalers", "jobs", "replicationcontrollers/scale"]
        }, {
            "verbs": ["get", "list", "watch"],
            "attributeRestrictions": null,
            "apiGroups": ["extensions"],
            "resources": ["daemonsets"]
        }, {
            "verbs": ["get", "list", "watch"],
            "attributeRestrictions": null,
            "apiGroups": null,
            "resources": ["bindings", "configmaps", "endpoints", "events", "imagestreams/status", "limitranges", "minions", "namespaces", "namespaces/status", "nodes", "persistentvolumeclaims", "persistentvolumes", "pods", "pods/log", "pods/status", "policies", "policybindings", "replicationcontrollers", "replicationcontrollers/status", "resourcequotas", "resourcequotas/status", "resourcequotausages", "routes/status", "securitycontextconstraints", "serviceaccounts", "services"]
        }, {
            "verbs": ["get", "update"],
            "attributeRestrictions": null,
            "apiGroups": null,
            "resources": ["imagestreams/layers"]
        }, {
            "verbs": ["update"],
            "attributeRestrictions": null,
            "apiGroups": null,
            "resources": ["routes/status"]
        }]
    }
}

[jwforres]

sample response LGTM, this is what the UI needs

On Mon, May 2, 2016 at 9:45 AM, David Eads [email protected] wrote:

Request:

{"kind":"SelfSubjectRulesReview","apiVersion":"v1","status":{"rules":null}}

Response

{
"kind": "SelfSubjectRulesReview",
"apiVersion": "v1",
"status": {
"rules": [{
"verbs": ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"],
"attributeRestrictions": null,
"apiGroups": [""],
"resources": ["configmaps", "endpoints", "persistentvolumeclaims", "pods", "pods/attach", "pods/exec", "pods/log", "pods/portforward", "pods/proxy", "replicationcontrollers", "replicationcontrollers/scale", "secrets", "serviceaccounts", "services", "services/proxy"]
}, {
"verbs": ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"],
"attributeRestrictions": null,
"apiGroups": [""],
"resources": ["buildconfigs", "buildconfigs/instantiate", "buildconfigs/instantiatebinary", "buildconfigs/webhooks", "buildlogs", "builds", "builds/clone", "builds/log", "deploymentconfigrollb!
acks", "deploymentconfigs", "deploymentconfigs/log", "deploymentconfigs/scale", "deployments", "generatedeploymentconfigs", "imagestreamimages", "imagestreamimports", "imagestreammappings", "imagestreams", "imagestreams/secrets", "imagestreamtags", "localresourceaccessreviews", "localsubjectaccessreviews", "processedtemplates", "projects", "resourceaccessreviews", "rolebindings", "roles", "routes",!
"subjectaccessreviews", "templateconfigs", "templates"]
}, {
"verbs": ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"],
"attributeRestrictions": null,
"apiGroups": ["autoscaling"],
"resources": ["horizontalpodautoscalers"]
}, {
"verbs": ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"],
"attributeRestrictions": null,
"apiGroups": ["batch"],
"resources": ["jobs"]
}, {
"verbs": ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"],
"attributeRestrictions": null,
"apiGroups": ["extensions"],
"resources": ["horizontalpodautoscalers", "jobs", "replicationcontrollers/scale"]
}, {
"verbs": ["get", "list", "watch"],
"attributeRestrictions": null,
"apiGroups": ["extensions"],
"resources": ["daemonsets"]
}, {
"verbs": ["get", "list", "watch"],
"attributeRestrictions": null,
"apiGroups": null,
"resources": ["bindings", "configmaps", "endpoints", "events", "imagestreams/status", "limitranges", "minions", "namespaces", "namespaces/status",
"nodes", "persistentvolumeclaims", "persistentvolumes", "pods", "pods/log", "pods/status", "policies", "policybindings", "replicationcontrollers", "replicationcontrollers/status", "resourcequotas", "resourcequotas/status", "resourcequotausages", "routes/status", "securitycontextconstraints", "serviceaccounts", "services"]
}, {
"verbs": ["get", "update"],
"attributeRestrictions": null,
"apiGroups": null,
"resources": ["imagestreams/layers"]
}, {
"verbs": ["update"],
"attributeRestrictions": null,
"apiGroups": null,
"resources": ["routes/status"]
}]
}
}

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#8675 (comment)

[smarterclayton]

Not sure whether I like "what-can-I-do" as a command name but it's fine for
now.

On Mon, May 2, 2016 at 10:07 AM, Jessica Forrester <[email protected]

wrote:

sample response LGTM, this is what the UI needs

On Mon, May 2, 2016 at 9:45 AM, David Eads [email protected]
wrote:

Request:

{"kind":"SelfSubjectRulesReview","apiVersion":"v1","status":{"rules":null}}

Response

{
"kind": "SelfSubjectRulesReview",
"apiVersion": "v1",
"status": {
"rules": [{
"verbs": ["create", "delete", "deletecollection", "get", "list",
"patch", "update", "watch"],
"attributeRestrictions": null,
"apiGroups": [""],
"resources": ["configmaps", "endpoints", "persistentvolumeclaims",
"pods", "pods/attach", "pods/exec", "pods/log", "pods/portforward",
"pods/proxy", "replicationcontrollers", "replicationcontrollers/scale",
"secrets", "serviceaccounts", "services", "services/proxy"]
}, {
"verbs": ["create", "delete", "deletecollection", "get", "list",
"patch", "update", "watch"],
"attributeRestrictions": null,
"apiGroups": [""],
"resources": ["buildconfigs", "buildconfigs/instantiate",
"buildconfigs/instantiatebinary", "buildconfigs/webhooks", "buildlogs",
"builds", "builds/clone", "builds/log", "deploymentconfigrollb!
acks", "deploymentconfigs", "deploymentconfigs/log",
"deploymentconfigs/scale", "deployments", "generatedeploymentconfigs",
"imagestreamimages", "imagestreamimports", "imagestreammappings",
"imagestreams", "imagestreams/secrets", "imagestreamtags",
"localresourceaccessreviews", "localsubjectaccessreviews",
"processedtemplates", "projects", "resourceaccessreviews", "rolebindings",
"roles", "routes",!
"subjectaccessreviews", "templateconfigs", "templates"]
}, {
"verbs": ["create", "delete", "deletecollection", "get", "list",
"patch", "update", "watch"],
"attributeRestrictions": null,
"apiGroups": ["autoscaling"],
"resources": ["horizontalpodautoscalers"]
}, {
"verbs": ["create", "delete", "deletecollection", "get", "list",
"patch", "update", "watch"],
"attributeRestrictions": null,
"apiGroups": ["batch"],
"resources": ["jobs"]
}, {
"verbs": ["create", "delete", "deletecollection", "get", "list",
"patch", "update", "watch"],
"attributeRestrictions": null,
"apiGroups": ["extensions"],
"resources": ["horizontalpodautoscalers", "jobs",
"replicationcontrollers/scale"]
}, {
"verbs": ["get", "list", "watch"],
"attributeRestrictions": null,
"apiGroups": ["extensions"],
"resources": ["daemonsets"]
}, {
"verbs": ["get", "list", "watch"],
"attributeRestrictions": null,
"apiGroups": null,
"resources": ["bindings", "configmaps", "endpoints", "events",
"imagestreams/status", "limitranges", "minions", "namespaces",
"namespaces/status",
"nodes", "persistentvolumeclaims", "persistentvolumes", "pods",
"pods/log", "pods/status", "policies", "policybindings",
"replicationcontrollers", "replicationcontrollers/status",
"resourcequotas", "resourcequotas/status", "resourcequotausages",
"routes/status", "securitycontextconstraints", "serviceaccounts",
"services"]
}, {
"verbs": ["get", "update"],
"attributeRestrictions": null,
"apiGroups": null,
"resources": ["imagestreams/layers"]
}, {
"verbs": ["update"],
"attributeRestrictions": null,
"apiGroups": null,
"resources": ["routes/status"]
}]
}
}

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#8675 (comment)

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#8675 (comment)

[deads2k]

Not sure whether I like "what-can-I-do" as a command name but it's fine for
now.

And the API object names?

[sgallagher]

"list-authorized-actions"?

[smarterclayton]

API was approved

On May 2, 2016, at 1:05 PM, David Eads [email protected] wrote:

Not sure whether I like "what-can-I-do" as a command name but it's fine for
now.

And the API object names?

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#8675 (comment)

[deads2k]

"list-authorized-actions"?

We get until the next tag to pin the command down. I was leaning towards oc policy can-i <verb> <resource> and oc policy can-i --list.

@sgallagher any other comments?

[sgallagher]

LGTM

I built it and played around with setting some policy roles on a user and can verify that they appear to work properly.

[deads2k]

[merge]

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_origin/5795/) (Image: devenv-rhel7_4088)

[deads2k]

@jwforres I don't think I touched bindata, but I'm getting this:

--- _output/test/assets/bindata.go  2016-05-03 15:51:07.213436061 -0400
+++ pkg/assets/bindata.go   2016-05-03 15:00:33.666020369 -0400
@@ -48373,12 +48373,9 @@
 }
 function p() {
 try {
-var a = Intl.DateTimeFormat().resolvedOptions().timeZone;
-if (a) {
-var b = H[r(a)];
+var a = Intl.DateTimeFormat().resolvedOptions().timeZone, b = H[r(a)];
make[1]: *** [test-assets] Error 141

[liggitt]

known issue, fixed in #8725

[deads2k]

re[merge]

[openshift-bot]

Evaluated for origin merge up to 257ecaa