Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
[id="configuring-cluster-roles-for-users"]
= Configuring cluster roles for {prod-short} users
= Grant additional permissions to users

You can grant {prod-short} users more cluster permissions by adding cluster roles to those users.
Grant your developers additional {kubernetes} permissions by adding cluster roles so they can access resources beyond the default workspace operations.

.Prerequisites

Expand All @@ -11,22 +11,22 @@ You can grant {prod-short} users more cluster permissions by adding cluster role

. Define the user roles name:
+
[source,subs="+quotes,+macros"]
[source,bash,subs="+quotes,+macros"]
----
$ USER_ROLES=__<name>__ <1>
----
<1> Unique resource name.

. Find out the namespace where the {prod-short} Operator is deployed:
. Determine the namespace where the {prod-short} Operator is deployed:
+
[source,subs="+quotes,+macros,+attributes"]
[source,bash,subs="+quotes,+macros,+attributes"]
----
$ OPERATOR_NAMESPACE=$({orch-cli} get pods -l app.kubernetes.io/component={prod-operator} -o jsonpath={".items[0].metadata.namespace"} --all-namespaces)
----

. Create needed roles:
+
[source,subs="+quotes,+macros"]
[source,bash,subs="+quotes,+macros"]
----
$ kubectl apply -f - <<EOF
kind: ClusterRole
Expand All @@ -50,7 +50,7 @@ EOF

. Delegate the roles to the {prod-short} Operator:
+
[source,subs="+quotes,+macros"]
[source,bash,subs="+quotes,+macros"]
----
$ kubectl apply -f - <<EOF
kind: ClusterRoleBinding
Expand All @@ -73,7 +73,7 @@ EOF

. Configure the {prod-short} Operator to delegate the roles to the `che` service account:
+
[source,subs="+quotes,+macros"]
[source,bash,subs="+quotes,+macros"]
----
$ kubectl patch checluster eclipse-che \
--patch '{"spec": {"components": {"cheServer": {"clusterRoles": ["'${USER_ROLES}'"]}}}}' \
Expand All @@ -82,13 +82,27 @@ $ kubectl patch checluster eclipse-che \

. Configure the {prod-short} server to delegate the roles to a user:
+
[source,subs="+quotes,+macros"]
[source,bash,subs="+quotes,+macros"]
----
$ kubectl patch checluster eclipse-che \
--patch '{"spec": {"devEnvironments": {"user": {"clusterRoles": ["'${USER_ROLES}'"]}}}}' \
--type=merge -n eclipse-che
----

. Wait for the rollout of the {prod-short} server components to be completed.
. Wait for the rollout of the {prod-short} server components to complete.

. Ask the user to log out and log in to have the new roles applied.

.Verification

* Verify that the ClusterRole exists:
+
[source,bash,subs="+quotes,+macros,+attributes"]
----
$ {orch-cli} get clusterrole ${USER_ROLES}
----

.Additional resources

* xref:secure:configuring-advanced-authorization.adoc[]
* xref:secure:removing-user-data-in-compliance-with-the-gdpr.adoc[]
26 changes: 11 additions & 15 deletions modules/secure/pages/configuring-advanced-authorization.adoc
Original file line number Diff line number Diff line change
@@ -1,15 +1,13 @@
:_content-type: PROCEDURE
:description: Configuring advanced authorization
:description: Restrict access to specific users and groups
:keywords: authorization, user, group
:navtitle: Restrict access to specific users and groups
// :page-aliases:

[id="configuring-advanced-authorization"]
= Restrict access to specific users and groups

You can determine which users and groups are allowed to access {prod-short}.

include::partial$snip_persona-admin.adoc[]
Restrict {prod-short} access to specific users and groups so that you can enforce access policies and limit the platform to authorized teams.

.Prerequisites

Expand Down Expand Up @@ -37,20 +35,18 @@ spec:
<1> List of users allowed to access {prod}.
<2> List of groups of users allowed to access {prod} (for {ocp} only).
<3> List of users denied access to {prod}.
<4> List of groups of users denied to access {prod} (for {ocp} only).
<4> List of groups of users denied access to {prod} (for {ocp} only).
+
. Wait for the rollout of the {prod-short} server components to be completed.
If a user is on both `allow` and `deny` lists, access is denied. If `allowUsers` and `allowGroups` are empty, all users are allowed except the ones on the `deny` lists. If `denyUsers` and `denyGroups` are empty, only the users from `allow` lists are allowed. If both `allow` and `deny` lists are empty, all users are allowed.

[NOTE]
====
. Wait for the rollout of the {prod-short} server components to complete.

To allow a user to access {prod-short}, add them to the `allowUsers` list. Alternatively, choose a group the user is a member of and add the group to the `allowGroups` list.
To deny a user access to {prod-short}, add them to the `denyUsers` list. Alternatively, choose a group the user is a member of and add the group to the `denyGroups` list.
If the user is on both `allow` and `deny` lists, they are denied access to {prod-short}.
.Verification

If `allowUsers` and `allowGroups` are empty, all users are allowed to access {prod-short} except the ones on the `deny` lists.
If `denyUsers` and `denyGroups` are empty, only the users from `allow` lists are allowed to access {prod-short}.
* Log in to the {prod-short} dashboard as a user on the `allowUsers` list and verify access to the dashboard.
* Log in as a user on the `denyUsers` list and verify that {prod-short} returns a `403 Forbidden` response.

If both `allow` and `deny` lists are empty, all users are allowed to access {prod-short}.
.Additional resources

====
* xref:configuring-cluster-roles-for-users.adoc[]
* xref:removing-user-data-in-compliance-with-the-gdpr.adoc[]
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
:_content-type: PROCEDURE
:description: Configuring cluster roles for {prod-short} users
:description: Grant additional permissions to users
:keywords: administration-guide, user, roles, permissions
:navtitle: Grant additional permissions to users
:page-aliases: administration-guide:configuring-cluster-roles-for-users.adoc
Expand Down
Original file line number Diff line number Diff line change
@@ -1,12 +1,10 @@
:_content-type: ASSEMBLY
:description: Managing identities and authorizations
:description: Control who can access {prod-short}
:keywords: administration-guide, managing-identities-and-authorizations
:navtitle: Control who can access {prod-short}
:page-aliases: administration-guide:managing-identities-and-authorizations.adoc, .:managing-identities-and-authorizations.adoc, authenticating-users.adoc, authorizing-users.adoc, configuring-authorization.adoc, configuring-openshift-oauth.adoc, configuring-minikube-github-authentication.adoc

[id="managing-identities-and-authorizations"]
= Control who can access {prod-short}

This section describes different aspects of managing identities and authorizations of {prod}.

include::partial$snip_persona-admin.adoc[]
Control who can access {prod-short} by restricting it to authorized users and groups, managing permissions, and complying with data protection regulations such as GDPR.
Original file line number Diff line number Diff line change
@@ -1,37 +1,51 @@
:_content-type: PROCEDURE
:description: Removing user data in compliance with the GDPR
:description: Remove user data for GDPR compliance
:keywords: administration-guide, user-data, gdpr, remove-data
:navtitle: Remove user data for GDPR compliance
:page-aliases: administration-guide:removing-user-data-in-compliance-with-the-gdpr.adoc, .:removing-user-data.adoc, removing-user-data.adoc

[id="removing-user-data-in-compliance-with-the-gdpr"]
= Remove user data for GDPR compliance

You can remove a users data on {ocp} in compliance with the link:https://gdpr.eu/[General Data Protection Regulation (GDPR)] that enforces the right of individuals to have their personal data erased. The process for other {kubernetes} infrastructures might vary. Follow the user management best practices of the provider you are using for the {prod} installation.
Remove a user's data from {ocp} when a developer leaves your organization, to comply with the link:https://gdpr.eu/[General Data Protection Regulation (GDPR)]. The process for other {kubernetes} infrastructures might vary. Follow the user management best practices of the provider you are using for the {prod} installation.

include::partial$snip_persona-admin.adoc[]

WARNING: Removing user data as follows is irreversible! All removed data is deleted and unrecoverable!
[WARNING]
====
Removing user data as follows is irreversible. All removed data is deleted and unrecoverable.
====

.Prerequisites

* An active `oc` session with administrative permissions for the {ocp} cluster. See link:https://docs.openshift.com/container-platform/latest/cli_reference/openshift_cli/getting-started-cli.html[Getting started with the OpenShift CLI].
* An active `{orch-cli}` session with administrative permissions for the {ocp} cluster. See link:https://docs.openshift.com/container-platform/{ocp4-ver}/cli_reference/openshift_cli/getting-started-cli.html[Getting started with the OpenShift CLI].

.Procedure

. List all the users in the OpenShift cluster using the following command:
. List all the users in the {orch-name} cluster:
+
[source,shell,subs="+quotes,macros,attributes"]
[source,bash,subs="+quotes,+attributes"]
----
$ oc get users
$ {orch-cli} get users
----

. Delete the user entry:
+
[IMPORTANT]
====
If the user has any associated resources (such as projects, roles, or service accounts), you must delete those first before deleting the user.
====
+
[source,bash,subs="+quotes,+attributes"]
----
$ {orch-cli} delete user __<username>__
----

IMPORTANT: If the user has any associated resources (such as projects, roles, or service accounts), you need to delete those first before deleting the user.
.Verification

[source,shell,subs="+quotes,macros,attributes"]
* Verify the user no longer appears in the cluster:
+
[source,bash,subs="+quotes,+attributes"]
----
$ oc delete user <username>
$ {orch-cli} get users
----

.Additional resources
Expand Down
Loading
Loading