Tectonic Identity docs revision #33
Conversation
ericchiang
assigned ericchiang and rithujohn191 and unassigned ericchiang and rithujohn191
| 1. Select the access level for the Role Binding: | ||
| * *Namespace Role Bindings* grant access only within the listed namespace. | ||
| * *Cluster-wide Role Bindings* grant access across the Tectonic cluster. | ||
| While a Cluster Role may be bound down the hierarchy to a Namespace Role Binding, a Namespace Role can't be promoted up the hierarchy to be bound to a Cluster Role Binding. |
There was a problem hiding this comment.
I think we can strike this completely. It's more confusing that it seems and it makes sense when you are looking at real data in the UI for roles you have created.
| * *Cluster-wide Role Bindings* grant access across the Tectonic cluster. | ||
| While a Cluster Role may be bound down the hierarchy to a Namespace Role Binding, a Namespace Role can't be promoted up the hierarchy to be bound to a Cluster Role Binding. | ||
| what does that mean? - beth | ||
| Namespace users and groups have read-access to Pods. Admins have full control over all resources. (is that true? read-only? - beth) |
There was a problem hiding this comment.
what are you referencing here?
|
|
||
| ## Removing Access | ||
|
|
||
| Changes to a Role or Role Binding will take place immediately. Revoking access to a user may not be fully complete until the user's session token expires. The default expriation time is 24 hours. |
|
|
||
| ## Assign Users to Roles | ||
|
|
||
| To grant your users access to Roles, [use a Role Binding][insert]. |
|
|
||
| Once the Role is created, click its *Name* in the *Roles* page, then click *Add Rule* to open the *Create Access Rule* page. | ||
|
|
||
| <Create Access Rule page> |
There was a problem hiding this comment.
yah - I removed it. Had it there just for me to look at while I was listing out all the options. I don't think the image of that page is valuable.
| namespace: default | ||
| ``` | ||
|
|
||
| Read up on how [create a roles][create-roles] and create a [Role Binding][insert] to associate it with your Service Account. |
|
related: #13 |
| To add a static user, update the Tectonic Identity `ConfigMap` with a new `staticPasswords` entry. | ||
|
|
||
| ```yaml | ||
| staticPasswords: |
| To change the password of an existing user, generate a bcrypt hash for the new password (using [coreos/bcrypt-tool](https://github.com/coreos/bcrypt-tool/releases/tag/v1.0.0)) and add this value to the Tectonic Identity `ConfigMap` for the selected user. | ||
|
|
||
| ```yaml | ||
| staticPasswords: |
| Replace `example.com` with your IdP domain name, and `tectonic-domain` with your Tectonic domain name. | ||
|
|
||
| ```yaml | ||
| connectors: |
| ## Using kubectl to create ClusterRoleBindings | ||
|
|
||
| `ClusterRoles` grant access to types of objects in any namespace in the cluster. Tectonic offers three default `ClusterRoles`: | ||
| * user |
There was a problem hiding this comment.
Can we switch the for the upstream roles https://kubernetes.io/docs/admin/authorization/rbac/#user-facing-roles
* view
* edit
* admin
* cluster-admin
There was a problem hiding this comment.
yes. when these options are exposed in Console, we'll switch to whatever it lists, if necessary.
| Then, use kubectl to apply the `ClusterRoleBinding` RBAC resource definition, and create the account: | ||
|
|
||
| ``` | ||
| $ kubectl create -f user admin-test.yaml |
There was a problem hiding this comment.
you've got a extra user here should be
kubectl create -f admin-test.yaml
|
|
||
| ```yaml | ||
| kind: ClusterRoleBinding | ||
| apiVersion: rbac.authorization.k8s.io/v1alpha1 |
There was a problem hiding this comment.
please switch this to
rbac.authorization.k8s.io/v1beta1
|
|
||
| ``` | ||
| $ kubectl create -f user admin-test.yaml | ||
| user "admin-test" created |
There was a problem hiding this comment.
This would be
$ kubectl create -f admin-test.yaml
clusterrolebinding "admin-test" created
| namespace: default | ||
| rules: | ||
| - apiGroups: | ||
| - '' |
There was a problem hiding this comment.
nit: add a comment here explaining why the empty string is used
rules:
- apiGroups:
- '' # '' means the core API group.
Documentation/users/rbac-config.md
Outdated
|
|
||
| A Role Binding can reference both Roles and Cluster Roles to grant permissions to resources. This allows administrators to define a set of common roles for the entire cluster, then reuse them within multiple namespaces. For example, the `view` Cluster Role referred to in the following Role Binding grants read-only permission to `[email protected]` but denies access to that user in the `kube-system` namespace. | ||
|
|
||
| (this doesn't make sense, given the example - beth) |
There was a problem hiding this comment.
Maybe
For examplem creating a Role Binding in the
devnamespace that binds a user to theeditCluster Role won't have any impact outside of thedevnamespace, even though it references a Cluster Role.
Diagrams might help
|
|
||
| The table below describes the parameters that configure Tectonic Identity federation with IdPs: | ||
|
|
||
| question: are these platform agnostic? in which case, i want to pull them from here, and add them to tectonic-identity-config.md - beth |
There was a problem hiding this comment.
These are platform agnostic but really cryptic. Let me take a second pass at the SAML section in another review.
|
|
||
| The three major components of Tectonic Identity are the API server, Tectonic Console, and kubectl. | ||
|
|
||
| this doesn't make sense. these three aren't 'components' of TI - I think this means to list three things that 'access' TI. I also think this section should refer to 'Tectonic Identity', and not 'Dex' when describing these connections. - beth |
There was a problem hiding this comment.
I think this section could probably just use a diagram that we then break down.
- Tectonic Identity - logs users into cooperate identity systems (LDAP, SAML, etc.) and issues credentials.
- Kubernetes API server - will authenticate user credentials against Tectonic Identity.
- Tectonic Console - requests credentials on the user's behalf from Tectonic Identity.
- kubectl - users can download credentials from Tectonic Console to use with kubectl when issuing commands to the Kubernetes API server.
|
|
||
| In case of LDAP, Tectonic Console logs the user in to a LDAP server. LDAP through Dex issues a ID Token. Tectonic on behalf of the user call kubectl with the ID Token. Kubectl connects to the API Server and verify the validity of the ID Token and authenticity of the user. Once authorized API server returns a response to kubectl. | ||
|
|
||
| - can we make this IdP agnostic? isn't the connection sequence the same for both LDAP and SAML ? - beth |
There was a problem hiding this comment.
Yes. Let's only briefly mention SAML, LDAP, etc. in this doc.
Documentation/users/user-auth.md
Outdated
|
|
||
| However, the original example and LDAP server output, shown earlier in this document, qualify members based on `DN` rather than `mail`. | ||
|
|
||
| This doesn't make sense. we've told users they must use the email address for usernames, yet here it's pointing it out as an error? - beth |
There was a problem hiding this comment.
Tried to answer that above.
|
general question: do we want to point readers down into the Dex repo? for example, do we want to say, For more information, see https://github.com/coreos/dex/blob/master/Documentation/ldap-connector.md ? I'm conflicted on this. |
|
@robszumski @ericchiang @rithujohn191 I believe with one more review pass, we could publish these to the site. Does anyone have time this week for a read through? |
There was a problem hiding this comment.
Couple nits but this is already much better than what we have today so lets get it merged and submit follow ups.
Just so I remember, these are some things we might want to follow up with:
- Encourage not granting roles to the default service account (containers that need permissions should have a unique service account).
- More LDAP schema -> config mappings?
- Follow up on SAML docs.
|
|
||
| The following examples demonstrate mapping LDAP schema to Tectonic Identity configurations. | ||
|
|
||
| ### User LDAP schema and Tectonic mapping |
There was a problem hiding this comment.
nit: this section and the one below are both examples of the same functionality: determining what group a user's in. Maybe combine the two sections?
There was a problem hiding this comment.
i don't think i understand LDAP schema well enough to make a clean attempt at this. Do the two LDAP snippets both show a member definition at the top:
dn: cn=john,dc=people,dc=example,dc=org
objectClass: person
cn: jane
email: [email protected]
followed by a group definition at the bottom:
dn: cn=developers,dc=groups,dc=example,dc=org
objectClass: group
cn: developers
member: jane
that is, are these simply two different ways to define group affiliations?
Documentation/users/rbac-config.md
Outdated
|
|
||
| Tectonic Console and `kubectl` now reflect the updated role and binding: | ||
|
|
||
| < i can insert an image here, if we think it's useful. i'm not convinced - beth > |
There was a problem hiding this comment.
nit: remove this before pushing final docs?
| # Existing user entry. | ||
| - email: "[email protected]" | ||
| hash: "$2a$10$TcWtvcw0N8.xK8nKdBw80uzYij6cJwuQhtfYnEf/hEC9bRTzlWdIq" | ||
| # newly generated bcrypt hash |
There was a problem hiding this comment.
This comment is slightly confusing. Maybe add it to the line above and re-align it?
| userID: "1d55c7c4-a76d-4d74-a257-31170f2c4845" | ||
| ``` | ||
|
|
||
| After the config changes are applied, the user can log in to the Console using the new password. |
There was a problem hiding this comment.
I wonder if we should highlight that applying the ConfigMap changes does not mean that a new Dex instance will roll out. The user will have to manually bring up the identity Pod with the new config changes.
Documentation/users/user-auth.md
Outdated
| memberOf: cn=tectonic_users,ou=Users,o=5866a86d3187bc712e435b35,dc=example,dc=org | ||
| ``` | ||
|
|
||
| Use the email address as the name attribute for the account: |
There was a problem hiding this comment.
Changing this to "Use the email address as the name attribute for RoleBinding definition for the account" would make it more clear
docs: more tectonic identity work docs: sunday edits clarify users/groups/svc accounts Update creating-roles.md Update creating-service-accounts.md docs: review changes docs: fix indent docs: clarify ldap and saml docs: tweaks
zbwright
force-pushed
the
tectonic-identity
branch
from
2822ee2 to
10c8ad2
Compare
zbwright
changed the title
|
|
||
| When generating Tectonic Console passwords with `bcrypt-tool`, using values higher than the default of `-cost=10` may result in timeouts. bcrypt also imposes a maximum password length of 56 bytes. | ||
|
|
||
| To ensure the static user has been added successfully, log in to Tectonic Console using the static user's username and password. |
There was a problem hiding this comment.
Please do add the same condition here that the user needs to bring up the identity pod again
|
@joshix I know I confirmed that this is ready for your review verbally. Adding a note here as well for tracking purposes. If you would like to go through these, have at it, please. |
I'm taking a pretty heavily editorial pass through all existing Tectonic Identity docs. I've rearranged all content, created some new pages, and combined others, and renamed all the files for clarity. This PR, and this new folder, will become the new 'User Management' docs on the site. We'll remove all the old docs.