Hello, I am currently testing Atomic Registry, to see if we could use it in a corporate setup. However, I have trouble wrapping my head around the right management system. I find some things confusing, maybe they are bugs or usability issues?
1. rights on the openshift cluster and rights on the Atomic Registry
applications are intertwined
2. found no way to create new roles, or modify existing ones, to have
fine-grained control on rights
3. only role able to create groups is cluster-admin
4. registry-admin role cannot list groups or users; how is it possible
to create bindings that way?
5. Discrepancy on permissible chars in naming between CLI and Web-UI
(i.e. users with "." or "-" in names cannot be granted permissions
in Web-UI)
I my setup, multiple teams are responsible for a different project in
the registry, some clients will have access to one project. Also an Ops
team is responsible for the registry so we don't want to give
permissions too broad to the users of the registry.
I tried different scenarii:
1. Everything is in the LDAP, so groups are managed in LDAP, issues:
* assigning rights to pull/push on projects to different groups
cannot be done, impossible to list groups or unless you have
rights: cluster-viewer or cluster-admin -> rights way too broad
* synchronization of groups can only be done via CLI, users of the
registry must know of CLI usage, share the configuration files
(including alias mapping!)
* groups are only displayed in the Web-UI if a rolebinding is
already in place for it, conflicts with the management of
rolebindings in the Web-UI.
2. Only authentication is in the LDAP, groups and bindings are managed
in Registry Web-UI, issues:
* groups cannot be created unless the user has the cluster-admin
right -> rights WAY too broad
Did I miss a really important point that would make everything fit
together? Should I open bug reports for the features I find missing?
Best regards,
Diego Abelenda
signature.asc
Description: OpenPGP digital signature
