... | ... |
@@ -282,6 +282,38 @@ Make project network global |
282 | 282 |
==== |
283 | 283 |
|
284 | 284 |
|
285 |
+== oadm policy add-role-to-user |
|
286 |
+Add users or serviceaccounts to a role in the current project |
|
287 |
+ |
|
288 |
+==== |
|
289 |
+ |
|
290 |
+[options="nowrap"] |
|
291 |
+---- |
|
292 |
+ # Add the 'view' role to user1 in the current project |
|
293 |
+ $ oadm policy add-role-to-user view user1 |
|
294 |
+ |
|
295 |
+ # Add the 'edit' role to serviceaccount1 in the current project |
|
296 |
+ $ oadm policy add-role-to-user edit -z serviceaccount1 |
|
297 |
+---- |
|
298 |
+==== |
|
299 |
+ |
|
300 |
+ |
|
301 |
+== oadm policy add-scc-to-user |
|
302 |
+Add users or serviceaccount to a security context constraint |
|
303 |
+ |
|
304 |
+==== |
|
305 |
+ |
|
306 |
+[options="nowrap"] |
|
307 |
+---- |
|
308 |
+ # Add the 'restricted' security context contraint to user1 and user2 |
|
309 |
+ $ oadm policy add-scc-to-user restricted user1 user2 |
|
310 |
+ |
|
311 |
+ # Add the 'privileged' security context contraint to the service account serviceaccount1 in the current namespace |
|
312 |
+ $ oadm policy add-scc-to-user privileged -z serviceaccount1 |
|
313 |
+---- |
|
314 |
+==== |
|
315 |
+ |
|
316 |
+ |
|
285 | 317 |
== oadm policy reconcile-cluster-role-bindings |
286 | 318 |
Replace cluster role bindings to match the recommended bootstrap policy |
287 | 319 |
|
... | ... |
@@ -626,6 +626,22 @@ Update field(s) of a resource using strategic merge patch. |
626 | 626 |
==== |
627 | 627 |
|
628 | 628 |
|
629 |
+== oc policy add-role-to-user |
|
630 |
+Add users or serviceaccounts to a role in the current project |
|
631 |
+ |
|
632 |
+==== |
|
633 |
+ |
|
634 |
+[options="nowrap"] |
|
635 |
+---- |
|
636 |
+ # Add the 'view' role to user1 in the current project |
|
637 |
+ $ oc policy add-role-to-user view user1 |
|
638 |
+ |
|
639 |
+ # Add the 'edit' role to serviceaccount1 in the current project |
|
640 |
+ $ oc policy add-role-to-user edit -z serviceaccount1 |
|
641 |
+---- |
|
642 |
+==== |
|
643 |
+ |
|
644 |
+ |
|
629 | 645 |
== oc port-forward |
630 | 646 |
Forward one or more local ports to a pod. |
631 | 647 |
|
... | ... |
@@ -27,6 +27,14 @@ const ( |
27 | 27 |
RemoveClusterRoleFromUserRecommendedName = "remove-cluster-role-from-user" |
28 | 28 |
) |
29 | 29 |
|
30 |
+const ( |
|
31 |
+ addRoleToUserExample = ` # Add the 'view' role to user1 in the current project |
|
32 |
+ $ %[1]s view user1 |
|
33 |
+ |
|
34 |
+ # Add the 'edit' role to serviceaccount1 in the current project |
|
35 |
+ $ %[1]s edit -z serviceaccount1` |
|
36 |
+) |
|
37 |
+ |
|
30 | 38 |
type RoleModificationOptions struct { |
31 | 39 |
RoleNamespace string |
32 | 40 |
RoleName string |
... | ... |
@@ -67,9 +75,10 @@ func NewCmdAddRoleToUser(name, fullName string, f *clientcmd.Factory, out io.Wri |
67 | 67 |
saNames := []string{} |
68 | 68 |
|
69 | 69 |
cmd := &cobra.Command{ |
70 |
- Use: name + " ROLE USER [USER ...]", |
|
71 |
- Short: "Add users to a role in the current project", |
|
72 |
- Long: `Add users to a role in the current project`, |
|
70 |
+ Use: name + " ROLE (USER | -z SERVICEACCOUNT) [USER ...]", |
|
71 |
+ Short: "Add users or serviceaccounts to a role in the current project", |
|
72 |
+ Long: `Add users or serviceaccounts to a role in the current project`, |
|
73 |
+ Example: fmt.Sprintf(addRoleToUserExample, fullName), |
|
73 | 74 |
Run: func(cmd *cobra.Command, args []string) { |
74 | 75 |
if err := options.CompleteUserWithSA(f, args, saNames); err != nil { |
75 | 76 |
kcmdutil.CheckErr(kcmdutil.UsageError(cmd, err.Error())) |
... | ... |
@@ -226,8 +235,8 @@ func NewCmdRemoveClusterRoleFromUser(name, fullName string, f *clientcmd.Factory |
226 | 226 |
} |
227 | 227 |
|
228 | 228 |
func (o *RoleModificationOptions) CompleteUserWithSA(f *clientcmd.Factory, args []string, saNames []string) error { |
229 |
- if (len(args) < 2) && (len(saNames) == 0) { |
|
230 |
- return errors.New("you must specify at least two arguments: <role> <user> [user]...") |
|
229 |
+ if len(args) < 1 { |
|
230 |
+ return errors.New("you must specify a role") |
|
231 | 231 |
} |
232 | 232 |
|
233 | 233 |
o.RoleName = args[0] |
... | ... |
@@ -235,6 +244,10 @@ func (o *RoleModificationOptions) CompleteUserWithSA(f *clientcmd.Factory, args |
235 | 235 |
o.Users = append(o.Users, args[1:]...) |
236 | 236 |
} |
237 | 237 |
|
238 |
+ if (len(o.Users) == 0) && (len(saNames) == 0) { |
|
239 |
+ return errors.New("you must specify at least one user or service account") |
|
240 |
+ } |
|
241 |
+ |
|
238 | 242 |
osClient, _, err := f.Clients() |
239 | 243 |
if err != nil { |
240 | 244 |
return err |
... | ... |
@@ -2,6 +2,7 @@ package policy |
2 | 2 |
|
3 | 3 |
import ( |
4 | 4 |
"errors" |
5 |
+ "fmt" |
|
5 | 6 |
"io" |
6 | 7 |
|
7 | 8 |
"github.com/spf13/cobra" |
... | ... |
@@ -22,6 +23,14 @@ const ( |
22 | 22 |
RemoveSCCFromUserRecommendedName = "remove-scc-from-user" |
23 | 23 |
) |
24 | 24 |
|
25 |
+const ( |
|
26 |
+ addSCCToUserExample = ` # Add the 'restricted' security context contraint to user1 and user2 |
|
27 |
+ $ %[1]s restricted user1 user2 |
|
28 |
+ |
|
29 |
+ # Add the 'privileged' security context contraint to the service account serviceaccount1 in the current namespace |
|
30 |
+ $ %[1]s privileged -z serviceaccount1` |
|
31 |
+) |
|
32 |
+ |
|
25 | 33 |
type SCCModificationOptions struct { |
26 | 34 |
SCCName string |
27 | 35 |
SCCInterface kclient.SecurityContextConstraintsInterface |
... | ... |
@@ -56,9 +65,10 @@ func NewCmdAddSCCToUser(name, fullName string, f *clientcmd.Factory, out io.Writ |
56 | 56 |
saNames := []string{} |
57 | 57 |
|
58 | 58 |
cmd := &cobra.Command{ |
59 |
- Use: name + " SCC USER [USER ...]", |
|
60 |
- Short: "Add users to a security context constraint", |
|
61 |
- Long: `Add users to a security context constraint`, |
|
59 |
+ Use: name + " SCC (USER | -z SERVICEACCOUNT) [USER ...]", |
|
60 |
+ Short: "Add users or serviceaccount to a security context constraint", |
|
61 |
+ Long: `Add users or serviceaccount to a security context constraint`, |
|
62 |
+ Example: fmt.Sprintf(addSCCToUserExample, fullName), |
|
62 | 63 |
Run: func(cmd *cobra.Command, args []string) { |
63 | 64 |
if err := options.CompleteUsers(f, args, saNames); err != nil { |
64 | 65 |
kcmdutil.CheckErr(kcmdutil.UsageError(cmd, err.Error())) |
... | ... |
@@ -121,13 +131,17 @@ func NewCmdRemoveSCCFromUser(name, fullName string, f *clientcmd.Factory, out io |
121 | 121 |
} |
122 | 122 |
|
123 | 123 |
func (o *SCCModificationOptions) CompleteUsers(f *clientcmd.Factory, args []string, saNames []string) error { |
124 |
- if (len(args) < 2) && (len(saNames) == 0) { |
|
125 |
- return errors.New("you must specify at least two arguments (<scc> <user> [user]...) or a service account (<scc> -z <service account name>) ") |
|
124 |
+ if len(args) < 1 { |
|
125 |
+ return errors.New("you must specify a scc") |
|
126 | 126 |
} |
127 | 127 |
|
128 | 128 |
o.SCCName = args[0] |
129 | 129 |
o.Subjects = authorizationapi.BuildSubjects(args[1:], []string{}, uservalidation.ValidateUserName, uservalidation.ValidateGroupName) |
130 | 130 |
|
131 |
+ if (len(o.Subjects) == 0) && (len(saNames) == 0) { |
|
132 |
+ return errors.New("you must specify at least one user or service account") |
|
133 |
+ } |
|
134 |
+ |
|
131 | 135 |
var err error |
132 | 136 |
_, o.SCCInterface, err = f.Clients() |
133 | 137 |
if err != nil { |
... | ... |
@@ -11,6 +11,10 @@ os::log::install_errexit |
11 | 11 |
|
12 | 12 |
# This test validates user level policy |
13 | 13 |
|
14 |
+os::cmd::expect_failure_and_text 'oc policy add-role-to-user' 'you must specify a role' |
|
15 |
+os::cmd::expect_failure_and_text 'oc policy add-role-to-user -z NamespaceWithoutRole' 'you must specify a role' |
|
16 |
+os::cmd::expect_failure_and_text 'oc policy add-role-to-user view' 'you must specify at least one user or service account' |
|
17 |
+ |
|
14 | 18 |
os::cmd::expect_success 'oc policy add-role-to-group cluster-admin system:unauthenticated' |
15 | 19 |
os::cmd::expect_success 'oc policy add-role-to-user cluster-admin system:no-user' |
16 | 20 |
os::cmd::expect_success 'oc get rolebinding/cluster-admin --no-headers' |