Closed slaterx closed 6 years ago
@slaterx currently, all workspace objects are created on behalf of a user who deployed Che. The priority is as follows: token, credentials, service account. Che service account can create objects only in its namespace, ie namespace where Che is deployed. As a result, all workspace pods, services, routes, pvcs and other objects are created right there in that project.
You can use token or credentials to make it possible to create ws objects outside Che namespace. However, they will be created in the account of a user whose token or credentials were provided.
@eivantsov thanks for your quick reply.
I'm using Che multi-user. Workspace creation on Openshift/Kubernetes is working fine, logged users on the UI can create workspaces, set up projects, etc.
What I want to do is automate this task - create and configure workspaces - for active directory accounts (configured in keycloak, under user federation) using a local admin account. I'm calling the following API with token obtained from user1 to create a workspace under user2's namespace:
curl -X POST \
'http://che/api/workspace?start-after-create=true&namespace=user-two' \
-H 'Authorization: Bearer token-from-user-one' \
-H 'Cache-Control: no-cache' \
-H 'Content-Type: application/json' \
-d '{
"description": "Description here",
"projects": [
{
"description": "repo",
"source": {
"location": "ssh://git@git/test/mock.git",
"type": "git",
"parameters": {}
},
"mixins": [],
"problems": [],
"links": [],
"name": "mock",
"path": "/mock",
"attributes": {}
}
],
"environments": {
"default": {
"recipe": {
"type": "dockerimage",
"content": "eclipse/php"
},
"machines": {
"dev-machine": {
"installers": [
"org.eclipse.che.exec",
"org.eclipse.che.terminal",
"org.eclipse.che.ws-agent",
"org.eclipse.che.ls.php",
"org.eclipse.che.ls.json"
],
"volumes": {},
"servers": {
"80/tcp": {
"attributes": {},
"protocol": "http",
"port": "80"
},
"8080/tcp": {
"attributes": {},
"protocol": "http",
"port": "8080"
},
"8000/tcp": {
"attributes": {},
"protocol": "http",
"port": "8000"
}
},
"env": {},
"attributes": {
"memoryLimitBytes": "2147483648"
}
}
}
}
},
"defaultEnv": "default",
"name": "test"
}'
And I'm obtaining the response I provided earlier:
{
"message": "User is not authorized to use specified account"
}
Since this response is not explaining what permissions I'm missing, this is the clarification I'm looking - is it possible at all for an account to create workspaces under a second account's namespace? If yes, what permissions are required?
Thanks, Gleidson
You need a token using credentials from user2
That's the point of my query, how to use a service account to obtain credentials for user2. I don't want to use user2's credentials but to use a service account and make the configuration for user2 on his behalf.
Reading the documentation, it seems this is done on Keycloak instead of Che. I need to impersonate user2 as user1 on Keycloak, to obtain a valid token and then make the API call to Che.
Closing the query as answered.
Thanks everyone!
Description
Using multi-user Che deployed on Openshift 3.7, I'm trying to setup automation in order to create workspaces for users on their behalf. However, when interacting with the API as the default 'admin' user, I am not able to do so:
I've created a service account and give the same permissions as the default 'admin' user, but that didn't work as well - it seems all users created have the same permissions as admin in keycloak.
What it is not clear to me is if I should have impersonate permissions for that particular user or if my system wide admin permissions are not properly set. The documentation is unclear about this particular use case.
Would it be possible to clarify what particular permissions do you need to create workspaces on behalf of users?
Thanks, Gleidson