search

opendevstack / ods-provisioning-app

Provisioning app, which triggers project and component provisions (including Jira / Confluence / BitBucket and OCP resource creation)
Apache License 2.0
15 stars 20 forks source link

prov-app setting permissions to bb for project specific serviceAccount #373

Open segator opened 4 years ago

segator commented 4 years ago

I just find out this morning prov-app seems that is setting serviceAccount project specific user hardcoded read-only on BB opendevstack/shared-lib repo. We need to change this and support a single group instead,

stitakis commented 4 years ago

@segator I can't follow... can you please add some more details? What do you mean with "... hardcoded read-only on BB opendevstack/share-lib" repo?

segator commented 4 years ago

prov-app is setting by code permissions to serviceAccount specific users on bitbucket opendevstack/shared-lib repository as RO, from the maintainability perspective I think is better to have a single AD/LDAP group.

stitakis commented 4 years ago

@segator did I get it right, are you suggesting instead of setting in a fresh created BitBucket repository Read permission to a ServiceAccount, to add to the fresh created BitBucket repository a Group with read permission? Is this correct?

stitakis commented 4 years ago

I have discussed this with segator...

Issue: too many project specific service account are explicitly granted with read permission to the repository ods-jenkins-shared-library.

Why this is implemented this way: This is necessary to guarantee that when Jenkins trigger a project build pipeline its service account has read access to repository ods-jenkins-shared-library.

Problem: For each project a service account is granted in BitBucket with read permission to ods-jenkins-shared-library. This makes difficult to manage account and operate BitBucket.

Proposed Solution: Setup a group in BitBucket with read permissions to the repository ods-jenkins-shared-library. Add the service account to this group on account creation. Changes in ProvApp: add the configuration to disable to grant read permission on ods-jenkins-shared-library to the service account. If this is the case ProvApp should verify that service acount has read access to the repository ods-jenkins-shared-library. If not, project creation flow should fail.

@michaelsauter @segator @clemensutschig @borja44 your thoughts on this? any question?

clemensutschig commented 4 years ago

@stitakis I am really confused on this. we are NOT setting any permissions on another bitbucket repo during creation of a repo, or project ... can you please describe the issue better?

clemensutschig commented 4 years ago

The setup should be ... (and always was) - the (SUPER) group of project users was say XYZ - and that group had read access to ods-jenkins-shared-library

michaelsauter commented 4 years ago

I think there is code in the prov-app which grants the project-specific technical user read access to the "readable repos". AFAIK that is not group based. I think @stitakis suggestion is good.

@tjaeschke IIRC you worked on this in the past. Do you have some background on why you did not implement this via groups? Some disadvantage that we are not seeing here?

segator commented 4 years ago

I confirm every time a project is created their Service account is added as reader on ods/shared-lib repo. anything we can do?

michaelsauter commented 4 years ago

I think this is basically a duplicate of #485, right?

segator commented 4 years ago

not really, if you use local users then yes, but from prov app you never will be able to add a user to an AD group.

stitakis commented 4 years ago

@sino92 @segator @michaelsauter yes, this is duplicate of #485...

The idea here and in #485 is:

With this solution read access to ods-jenkins-shared-lib is granted when the project specific account is created, of course if the new service account is added to the cd_users account.

@segator, make sense?

segator commented 4 years ago

where is this cd_users groups? jira, bb, crowd? AD?

stitakis commented 4 years ago

@segator the cd_users groups does not exists yet. The idea is to create it in crowd o AD and thanks directory synchronization would be available in bitbucket. Would this work?