Overview

You can use the CLI to view authorization policies and the administrator CLI to manage the roles and bindings within a policy.

Viewing Roles and Bindings

Roles grant various levels of access in the system-wide cluster policy as well as project-scoped local policies. Users and groups can be associated with, or bound to, multiple roles at the same time. You can view details about the roles and their bindings using the oc describe command.

Users with the cluster-admin default role in the cluster policy can view cluster policy and all local policies. Users with the admin default role in a given local policy can view that project-scoped policy.

Viewing Cluster Policy

To view the cluster roles and their associated rule sets in the cluster policy:

$ oc describe clusterPolicy default
Example 1. Viewing Cluster Roles
$ oc describe clusterPolicy default
Name:				default
Created:			4 hours ago
Labels:				<none>
Last Modified:			2015-06-10 17:22:25 +0000 UTC
admin				Verbs					Resources																Resource Names	Non-Resource URLs				Extension
				[create delete get list update watch]	[pods/proxy projects resourcegroup:exposedkube resourcegroup:exposedopenshift resourcegroup:granter secrets]				[][]
				[get list watch]			[pods/exec pods/portforward resourcegroup:allkube resourcegroup:allkube-status resourcegroup:allopenshift-status resourcegroup:policy]	[][]
				[get update]				[imagestreams/layers]															[][]
basic-user			Verbs					Resources																Resource Names	Non-Resource URLs				Extension
				[get]					[users]																	[~][]
				[list]					[projectrequests]															[][]
				[get list]				[clusterroles]																[][]
				[list]					[projects]																[][]
				[create]				[subjectaccessreviews]															[][]						IsPersonalSubjectAccessReview
cluster-admin			Verbs					Resources																Resource Names	Non-Resource URLs				Extension
				[*]					[*]																	[][]
				[*]					[]																	[][*]
cluster-reader			Verbs					Resources																Resource Names	Non-Resource URLs				Extension
				[get list watch]			[*]																	[][]
				[get]					[]																	[][*]
cluster-status			Verbs					Resources																Resource Names	Non-Resource URLs				Extension
				[get]					[]																	[][/api /healthz /healthz/* /osapi /version]
edit				Verbs					Resources																Resource Names	Non-Resource URLs				Extension
				[create delete get list update watch]	[pods/proxy resourcegroup:exposedkube resourcegroup:exposedopenshift secrets]								[][]
				[get list watch]			[pods/exec pods/portforward projects resourcegroup:allkube resourcegroup:allkube-status resourcegroup:allopenshift-status]		[][]
self-provisioner		Verbs					Resources																Resource Names	Non-Resource URLs				Extension
				[create]				[projectrequests]															[][]
system:build-controller		Verbs					Resources																Resource Names	Non-Resource URLs				Extension
				[get list watch]			[builds]																[][]
				[update]				[builds]																[][]
				[get]					[imagestreams]																[][]
				[create delete get list]		[pods]																	[][]
				[create update]				[events]																[][]
system:component		Verbs					Resources																Resource Names	Non-Resource URLs				Extension
				[*]					[*]																	[][]
system:deployer			Verbs					Resources																Resource Names	Non-Resource URLs				Extension
				[get list]				[replicationcontrollers]														[][]
				[get update]				[replicationcontrollers]														[][]
				[create get list watch]			[pods]																	[][]
system:deployment-controller	Verbs					Resources																Resource Names	Non-Resource URLs				Extension
				[list watch]				[replicationcontrollers]														[][]
				[get update]				[replicationcontrollers]														[][]
				[create delete get list update]		[pods]																	[][]
				[create update]				[events]																[][]
system:image-builder		Verbs					Resources																Resource Names	Non-Resource URLs				Extension
				[get update]				[imagestreams/layers]															[][]
system:image-pruner		Verbs					Resources																Resource Names	Non-Resource URLs				Extension
				[delete]				[images]																[][]
				[get list]				[buildconfigs builds deploymentconfigs images imagestreams pods replicationcontrollers]							[][]
				[update]				[imagestreams/status]															[][]
system:image-puller		Verbs					Resources																Resource Names	Non-Resource URLs				Extension
				[get]					[imagestreams/layers]															[][]
system:node			Verbs					Resources																Resource Names	Non-Resource URLs				Extension
				[get list watch]			[services]																[][]
				[create get list watch]			[nodes]																	[][]
				[update]				[nodes/status]																[][]
				[create update]				[events]																[][]
				[get list watch]			[pods]																	[][]
				[create delete get]			[pods]																	[][]
				[update]				[pods/status]																[][]
				[get]					[secrets]																[][]
				[get]					[persistentvolumeclaims persistentvolumes]												[][]
				[get]					[endpoints]																[][]
system:node-proxier		Verbs					Resources																Resource Names	Non-Resource URLs				Extension
				[list watch]				[endpoints services]															[][]
system:oauth-token-deleter	Verbs					Resources																Resource Names	Non-Resource URLs				Extension
				[delete]				[oauthaccesstokens oauthauthorizetokens]												[][]
system:registry			Verbs					Resources																Resource Names	Non-Resource URLs				Extension
				[delete get]				[images]																[][]
				[get]					[imagestreamimages imagestreams imagestreamtags]											[][]
				[update]				[imagestreams]																[][]
				[create]				[imagestreammappings]															[][]
system:replication-controller	Verbs					Resources																Resource Names	Non-Resource URLs				Extension
				[list watch]				[replicationcontrollers]														[][]
				[get update]				[replicationcontrollers]														[][]
				[list watch]				[pods]																	[][]
				[create delete]				[pods]																	[][]
				[create update]				[events]																[][]
system:router			Verbs					Resources																Resource Names	Non-Resource URLs				Extension
				[list watch]				[endpoints routes]															[][]
system:sdn-manager		Verbs					Resources																Resource Names	Non-Resource URLs				Extension
				[create delete get list watch]		[hostsubnets]																[][]
				[get list watch]			[nodes]																	[][]
				[create get]				[clusternetworks]															[][]
system:sdn-reader		Verbs					Resources																Resource Names	Non-Resource URLs				Extension
				[get list watch]			[hostsubnets]																[][]
				[get list watch]			[nodes]																	[][]
				[get]					[clusternetworks]															[][]
system:webhook			Verbs					Resources																Resource Names	Non-Resource URLs				Extension
				[create get]				[buildconfigs/webhooks]															[][]
view				Verbs					Resources																Resource Names	Non-Resource URLs				Extension
				[get list watch]			[projects resourcegroup:allkube resourcegroup:allkube-status resourcegroup:allopenshift-status resourcegroup:exposedopenshift]		[][]

To view the current set of cluster bindings, which shows the users and groups that are bound to various roles:

$ oc describe clusterPolicyBindings :default
Example 2. Viewing Cluster Bindings
$ oc describe clusterPolicyBindings :default
Name:						:default
Created:					4 hours ago
Labels:						<none>
Last Modified:					2015-06-10 17:22:26 +0000 UTC
Policy:						<none>
RoleBinding[basic-users]:
						Role:	basic-user
						Users:	[]
						Groups:	[system:authenticated]
RoleBinding[cluster-admins]:
						Role:	cluster-admin
						Users:	[]
						Groups:	[system:cluster-admins]
RoleBinding[cluster-readers]:
						Role:	cluster-reader
						Users:	[]
						Groups:	[system:cluster-readers]
RoleBinding[cluster-status-binding]:
						Role:	cluster-status
						Users:	[]
						Groups:	[system:authenticated system:unauthenticated]
RoleBinding[self-provisioners]:
						Role:	self-provisioner
						Users:	[]
						Groups:	[system:authenticated]
RoleBinding[system:build-controller]:
						Role:	system:build-controller
						Users:	[system:serviceaccount:openshift-infra:build-controller]
						Groups:	[]
RoleBinding[system:deployment-controller]:
						Role:	system:deployment-controller
						Users:	[system:serviceaccount:openshift-infra:deployment-controller]
						Groups:	[]
RoleBinding[system:masters]:
						Role:	system:master
						Users:	[]
						Groups:	[system:masters]
RoleBinding[system:node-proxiers]:
						Role:	system:node-proxier
						Users:	[]
						Groups:	[system:nodes]
RoleBinding[system:nodes]:
						Role:	system:node
						Users:	[]
						Groups:	[system:nodes]
RoleBinding[system:oauth-token-deleters]:
						Role:	system:oauth-token-deleter
						Users:	[]
						Groups:	[system:authenticated system:unauthenticated]
RoleBinding[system:registrys]:
						Role:	system:registry
						Users:	[]
						Groups:	[system:registries]
RoleBinding[system:replication-controller]:
						Role:	system:replication-controller
						Users:	[system:serviceaccount:openshift-infra:replication-controller]
						Groups:	[]
RoleBinding[system:routers]:
						Role:	system:router
						Users:	[]
						Groups:	[system:routers]
RoleBinding[system:sdn-readers]:
						Role:	system:sdn-reader
						Users:	[]
						Groups:	[system:nodes]
RoleBinding[system:webhooks]:
						Role:	system:webhook
						Users:	[]
						Groups:	[system:authenticated system:unauthenticated]

Viewing Local Policy

While the list of local roles and their associated rule sets are not viewable within a local policy, all of the default roles are still applicable and can be added to users or groups, other than the cluster-admin default role. The local bindings, however, are viewable.

To view the current set of local bindings, which shows the users and groups that are bound to various roles:

$ oc describe policyBindings :default

By default, the current project is used when viewing local policy. Alternatively, a project can be specified with the -n flag. This is useful for viewing the local policy of another project, if the user already has the admin default role in it.

Example 3. Viewing Local Bindings
$ oc describe policyBindings :default -n joe-project
Name:					:default
Created:				About a minute ago
Labels:					<none>
Last Modified:				2015-06-10 21:55:06 +0000 UTC
Policy:					<none>
RoleBinding[admins]:
					Role:	admin
					Users:	[joe]
					Groups:	[]
RoleBinding[system:deployers]:
					Role:	system:deployer
					Users:	[system:serviceaccount:joe-project:deployer]
					Groups:	[]
RoleBinding[system:image-builders]:
					Role:	system:image-builder
					Users:	[system:serviceaccount:joe-project:builder]
					Groups:	[]
RoleBinding[system:image-pullers]:
					Role:	system:image-puller
					Users:	[]
					Groups:	[system:serviceaccounts:joe-project]

By default in a local policy, only the binding for the admin role is immediately listed. However, if other default roles are added to users and groups within a local policy, they become listed as well.

Managing Role Bindings

Adding, or binding, a role to users or groups gives the user or group the relevant access granted by the role. You can add and remove roles to and from users and groups using oadm policy commands.

When managing a user or group’s associated roles for a local policy using the following operations, a project may be specified with the -n flag. If it is not specified, then the current project is used.

Table 1. Local Policy Operations
Command Description

$ oadm policy who-can <verb> <resource>

Indicates which users can perform an action on a resource.

$ oadm policy add-role-to-user <role> <username>

Binds a given role to specified users in the current project.

$ oadm policy remove-role-from-user <role> <username>

Removes a given role from specified users in the current project.

$ oadm policy remove-user <username>

Removes specified users and all of their roles in the current project.

$ oadm policy add-role-to-group <role> <groupname>

Binds a given role to specified groups in the current project.

$ oadm policy remove-role-from-group <role> <groupname>

Removes a given role from specified groups in the current project.

$ oadm policy remove-group <groupname>

Removes specified groups and all of their roles in the current project.

You can also manage role bindings for the cluster policy using the following operations. The -n flag is not used used for these operations because the cluster policy uses non-namespaced resources.

Table 2. Cluster Policy Operations
Command Description

$ oadm policy add-cluster-role-to-user <role> <username>

Binds a given role to specified users for all projects in the cluster.

$ oadm policy remove-cluster-role-from-user <role> <username>

Removes a given role from specified users for all projects in the cluster.

$ oadm policy add-cluster-role-to-group <role> <groupname>

Binds a given role to specified groups for all projects in the cluster.

$ oadm policy remove-cluster-role-from-group <role> <groupname>

Removes a given role from specified groups for all projects in the cluster.

For example, you can add the admin role to the alice user in joe-project by running:

$ oadm policy add-role-to-user admin alice -n joe-project

You can then view the local bindings and verify the addition in the output:

$ oc describe policyBindings :default -n joe-project
Name:					:default
Created:				5 minutes ago
Labels:					<none>
Last Modified:				2015-06-10 22:00:44 +0000 UTC
Policy:					<none>
RoleBinding[admins]:
					Role:	admin
					Users:	[alice joe] (1)
					Groups:	[]
RoleBinding[system:deployers]:
					Role:	system:deployer
					Users:	[system:serviceaccount:joe-project:deployer]
					Groups:	[]
RoleBinding[system:image-builders]:
					Role:	system:image-builder
					Users:	[system:serviceaccount:joe-project:builder]
					Groups:	[]
RoleBinding[system:image-pullers]:
					Role:	system:image-puller
					Users:	[]
					Groups:	[system:serviceaccounts:joe-project]
1 The alice user has been added to the admins RoleBinding.