[RFE] OLM supports "Android Permissions" for operators

[awgreene]

Feature Request

Source Generated via a OLM WG discussion with @Jamstah.

Is your feature request related to a problem? Please describe. OLM provides users with the means to scope an Operator's RBAC to those belonging to an existing serviceAccount. Unfortunately, if an operator requires RBAC that the ServiceAccount does not possess, OLM will not install the operator. OLM could provide a user with the ability to install an operator with/without specific RBAC.

Describe the solution you'd like It would be great if OLM offered users installing operators with the ability to enable/disable RBAC in a similar manner to Android Permissions. Operators in turn could enable/disable features based on granted RBAC permissions.

[njhale]

I don't know if we talked about the api simplification proposal in the WG yet, but we have already accepted an initial design for something similar. Here's a snippet from that proposal:

To simplify operator permission management, OLM will adopt a permission approval model similar to that used by Android and iOS, wherein:

• a proposed installation surfaces a set of required install permissions
• the initial installation is subject to the approval of a user w/ the required install permissions
• subsequent updates are subject to re-approval when the required install permissions exceed the set approved for its predecessors

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[matskiv]

I think this is a great idea! Having some list of optional permissions, perhaps grouped by operator feature, would be nice. OLM could then create a separate InstallPlan(s) for each optional feature that requires additional permissions. These "optional" InstallPlan(s) wouldn't block operator installation, but they would allow approval of additional permissions on a case by case basis, potentially by a different user.