$ oc describe clusterPolicy default
×
Managing Authorization Policies
Overview
You can use the CLI to view authorization policies and the administrator CLI to manage the roles and bindings within a policy.
Viewing Roles and Bindings
Roles grant
various levels of access in the system-wide
cluster
policy as well as project-scoped
local
policies.
Users
and groups can be associated with, or bound to, multiple roles at the same
time. You can view details about the roles and their bindings using the oc
describe command.
Users with the cluster-admin default role in the cluster policy can view cluster policy and all local policies. Users with the admin default role in a given local policy can view that project-scoped policy.
Viewing Cluster Policy
To view the cluster roles and their associated rule sets in the cluster policy:
Example 1. Viewing Cluster Roles
$ oc describe clusterPolicy default Name: default Created: 4 hours ago Labels: <none> Last Modified: 2015-06-10 17:22:25 +0000 UTC admin Verbs Resources Resource Names Non-Resource URLs Extension [create delete get list update watch] [pods/proxy projects resourcegroup:exposedkube resourcegroup:exposedopenshift resourcegroup:granter secrets] [][] [get list watch] [pods/exec pods/portforward resourcegroup:allkube resourcegroup:allkube-status resourcegroup:allopenshift-status resourcegroup:policy] [][] [get update] [imagestreams/layers] [][] basic-user Verbs Resources Resource Names Non-Resource URLs Extension [get] [users] [~][] [list] [projectrequests] [][] [get list] [clusterroles] [][] [list] [projects] [][] [create] [subjectaccessreviews] [][] IsPersonalSubjectAccessReview cluster-admin Verbs Resources Resource Names Non-Resource URLs Extension [*] [*] [][] [*] [] [][*] cluster-reader Verbs Resources Resource Names Non-Resource URLs Extension [get list watch] [*] [][] [get] [] [][*] cluster-status Verbs Resources Resource Names Non-Resource URLs Extension [get] [] [][/api /healthz /healthz/* /osapi /version] edit Verbs Resources Resource Names Non-Resource URLs Extension [create delete get list update watch] [pods/proxy resourcegroup:exposedkube resourcegroup:exposedopenshift secrets] [][] [get list watch] [pods/exec pods/portforward projects resourcegroup:allkube resourcegroup:allkube-status resourcegroup:allopenshift-status] [][] self-provisioner Verbs Resources Resource Names Non-Resource URLs Extension [create] [projectrequests] [][] system:build-controller Verbs Resources Resource Names Non-Resource URLs Extension [get list watch] [builds] [][] [update] [builds] [][] [get] [imagestreams] [][] [create delete get list] [pods] [][] [create update] [events] [][] system:component Verbs Resources Resource Names Non-Resource URLs Extension [*] [*] [][] system:deployer Verbs Resources Resource Names Non-Resource URLs Extension [get list] [replicationcontrollers] [][] [get update] [replicationcontrollers] [][] [create get list watch] [pods] [][] system:deployment-controller Verbs Resources Resource Names Non-Resource URLs Extension [list watch] [replicationcontrollers] [][] [get update] [replicationcontrollers] [][] [create delete get list update] [pods] [][] [create update] [events] [][] system:image-builder Verbs Resources Resource Names Non-Resource URLs Extension [get update] [imagestreams/layers] [][] system:image-pruner Verbs Resources Resource Names Non-Resource URLs Extension [delete] [images] [][] [get list] [buildconfigs builds deploymentconfigs images imagestreams pods replicationcontrollers] [][] [update] [imagestreams/status] [][] system:image-puller Verbs Resources Resource Names Non-Resource URLs Extension [get] [imagestreams/layers] [][] system:node Verbs Resources Resource Names Non-Resource URLs Extension [get list watch] [services] [][] [create get list watch] [nodes] [][] [update] [nodes/status] [][] [create update] [events] [][] [get list watch] [pods] [][] [create delete get] [pods] [][] [update] [pods/status] [][] [get] [secrets] [][] [get] [persistentvolumeclaims persistentvolumes] [][] [get] [endpoints] [][] system:node-proxier Verbs Resources Resource Names Non-Resource URLs Extension [list watch] [endpoints services] [][] system:oauth-token-deleter Verbs Resources Resource Names Non-Resource URLs Extension [delete] [oauthaccesstokens oauthauthorizetokens] [][] system:registry Verbs Resources Resource Names Non-Resource URLs Extension [delete get] [images] [][] [get] [imagestreamimages imagestreams imagestreamtags] [][] [update] [imagestreams] [][] [create] [imagestreammappings] [][] system:replication-controller Verbs Resources Resource Names Non-Resource URLs Extension [list watch] [replicationcontrollers] [][] [get update] [replicationcontrollers] [][] [list watch] [pods] [][] [create delete] [pods] [][] [create update] [events] [][] system:router Verbs Resources Resource Names Non-Resource URLs Extension [list watch] [endpoints routes] [][] system:sdn-manager Verbs Resources Resource Names Non-Resource URLs Extension [create delete get list watch] [hostsubnets] [][] [get list watch] [nodes] [][] [create get] [clusternetworks] [][] system:sdn-reader Verbs Resources Resource Names Non-Resource URLs Extension [get list watch] [hostsubnets] [][] [get list watch] [nodes] [][] [get] [clusternetworks] [][] system:webhook Verbs Resources Resource Names Non-Resource URLs Extension [create get] [buildconfigs/webhooks] [][] view Verbs Resources Resource Names Non-Resource URLs Extension [get list watch] [projects resourcegroup:allkube resourcegroup:allkube-status resourcegroup:allopenshift-status resourcegroup:exposedopenshift] [][]
To view the current set of cluster bindings, which shows the users and groups that are bound to various roles:
$ oc describe clusterPolicyBindings :default
Example 2. Viewing Cluster Bindings
$ oc describe clusterPolicyBindings :default Name: :default Created: 4 hours ago Labels: <none> Last Modified: 2015-06-10 17:22:26 +0000 UTC Policy: <none> RoleBinding[basic-users]: Role: basic-user Users: [] Groups: [system:authenticated] RoleBinding[cluster-admins]: Role: cluster-admin Users: [] Groups: [system:cluster-admins] RoleBinding[cluster-readers]: Role: cluster-reader Users: [] Groups: [system:cluster-readers] RoleBinding[cluster-status-binding]: Role: cluster-status Users: [] Groups: [system:authenticated system:unauthenticated] RoleBinding[self-provisioners]: Role: self-provisioner Users: [] Groups: [system:authenticated] RoleBinding[system:build-controller]: Role: system:build-controller Users: [system:serviceaccount:openshift-infra:build-controller] Groups: [] RoleBinding[system:deployment-controller]: Role: system:deployment-controller Users: [system:serviceaccount:openshift-infra:deployment-controller] Groups: [] RoleBinding[system:masters]: Role: system:master Users: [] Groups: [system:masters] RoleBinding[system:node-proxiers]: Role: system:node-proxier Users: [] Groups: [system:nodes] RoleBinding[system:nodes]: Role: system:node Users: [] Groups: [system:nodes] RoleBinding[system:oauth-token-deleters]: Role: system:oauth-token-deleter Users: [] Groups: [system:authenticated system:unauthenticated] RoleBinding[system:registrys]: Role: system:registry Users: [] Groups: [system:registries] RoleBinding[system:replication-controller]: Role: system:replication-controller Users: [system:serviceaccount:openshift-infra:replication-controller] Groups: [] RoleBinding[system:routers]: Role: system:router Users: [] Groups: [system:routers] RoleBinding[system:sdn-readers]: Role: system:sdn-reader Users: [] Groups: [system:nodes] RoleBinding[system:webhooks]: Role: system:webhook Users: [] Groups: [system:authenticated system:unauthenticated]
Viewing Local Policy
While the list of local roles and their associated rule sets are not viewable within a local policy, all of the default roles are still applicable and can be added to users or groups, other than the cluster-admin default role. The local bindings, however, are viewable.
To view the current set of local bindings, which shows the users and groups that are bound to various roles:
$ oc describe policyBindings :default
By default, the current project is used when viewing local policy.
Alternatively, a project can be specified with the -n flag. This is useful for
viewing the local policy of another project, if the user already has the admin
default role
in it.
Example 3. Viewing Local Bindings
$ oc describe policyBindings :default -n joe-project Name: :default Created: About a minute ago Labels: <none> Last Modified: 2015-06-10 21:55:06 +0000 UTC Policy: <none> RoleBinding[admins]: Role: admin Users: [joe] Groups: [] RoleBinding[system:deployers]: Role: system:deployer Users: [system:serviceaccount:joe-project:deployer] Groups: [] RoleBinding[system:image-builders]: Role: system:image-builder Users: [system:serviceaccount:joe-project:builder] Groups: [] RoleBinding[system:image-pullers]: Role: system:image-puller Users: [] Groups: [system:serviceaccounts:joe-project]
By default in a local policy, only the binding for the admin role is immediately listed. However, if other default roles are added to users and groups within a local policy, they become listed as well.
Managing Role Bindings
Adding, or binding, a
role to
users
or groups gives the user or group the relevant access granted by the role. You
can add and remove roles to and from users and groups using oadm policy
commands.
When managing a user or group’s associated roles for a local policy using the
following operations, a project may be specified with the -n flag. If it is
not specified, then the current project is used.
| Command | Description |
|---|---|
|
Indicates which users can perform an action on a resource. |
|
Binds a given role to specified users in the current project. |
|
Removes a given role from specified users in the current project. |
|
Removes specified users and all of their roles in the current project. |
|
Binds a given role to specified groups in the current project. |
|
Removes a given role from specified groups in the current project. |
|
Removes specified groups and all of their roles in the current project. |
You can also manage role bindings for the cluster policy using the following
operations. The -n flag is not used used for these operations because the
cluster policy uses non-namespaced resources.
| Command | Description |
|---|---|
|
Binds a given role to specified users for all projects in the cluster. |
|
Removes a given role from specified users for all projects in the cluster. |
|
Binds a given role to specified groups for all projects in the cluster. |
|
Removes a given role from specified groups for all projects in the cluster. |
For example, you can add the admin role to the alice user in joe-project by running:
$ oadm policy add-role-to-user admin alice -n joe-project
You can then view the local bindings and verify the addition in the output:
$ oc describe policyBindings :default -n joe-project Name: :default Created: 5 minutes ago Labels: <none> Last Modified: 2015-06-10 22:00:44 +0000 UTC Policy: <none> RoleBinding[admins]: Role: admin Users: [alice joe] (1) Groups: [] RoleBinding[system:deployers]: Role: system:deployer Users: [system:serviceaccount:joe-project:deployer] Groups: [] RoleBinding[system:image-builders]: Role: system:image-builder Users: [system:serviceaccount:joe-project:builder] Groups: [] RoleBinding[system:image-pullers]: Role: system:image-puller Users: [] Groups: [system:serviceaccounts:joe-project]
| 1 | The alice user has been added to the admins RoleBinding. |