OSDOCS-17807: document multigroup user impersonation in the web console #105664
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@jseseCCS: This pull request references OSDOCS-17807 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
added
the
size/S
jseseCCS
changed the title
openshift-ci
bot
added
the
needs-ok-to-test
|
Hi @jseseCCS. Thanks for your PR. I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@Leo6Leo please review and thank you! |
|
/assign @Leo6Leo |
Leo6Leo
left a comment
Leo6Leo
left a comment
There was a problem hiding this comment.
Thank you @jseseCCS , this is a quite complicated and complex feature that has a lot of details in it, so I want to be careful with the doc so that it will deliver the most accurate information to the users.
I have recorded a small demo video for you, to walk you through the whole user's flow, so that you won't miss any technical details that only engineers who code the feature would notice. Don't hesitate to reach out if you have any further questions or need any clarification on this feature.
| .Procedure | ||
| . In the OpenShift web console, click **Administrator** → **User Management** → **User Impersonation**. | ||
| . Select the user you want to impersonate. | ||
| . Select one or more groups that are associated with the user. |
There was a problem hiding this comment.
This might not be accurate. The user can impersonate any group(s) that they have the view access.
| * The user you impersonate must belong to one or more groups. | ||
|
|
||
| .Procedure | ||
| . In the OpenShift web console, click **Administrator** → **User Management** → **User Impersonation**. |
There was a problem hiding this comment.
Another way to start impersonation is via the kebab menu on the top right of the corner in the web console.
And I don't think there is User Impersonation option under User Management tab. The way to trigger the impersonation is: you go under User Management tab, then Users / Groups, and then you click on the kebab menu beside the specific user / group, and there should appear a button to impersonate.
|
|
||
| .Before you begin | ||
| * You must have permission to impersonate users. | ||
| * The user you impersonate must belong to one or more groups. |
There was a problem hiding this comment.
This may not be accurate. That user doesn't need to belong to that group. The purpose of multi-group impersonation is to simulate "what permissions would this user have if they were a member of these groups" - which is useful for testing RBAC configurations. The user doesn't need to actually be a member of those groups.
| == Impersonating a user with multiple group memberships in the web console | ||
| [id="impersonating-user-multiple-groups-console_{context}"] | ||
|
|
||
| You can use the OpenShift web console to impersonate a user and select multiple group memberships at the same time to reproduce the user’s effective permissions. |
|
|
||
| .Procedure | ||
| . In the OpenShift web console, click **Administrator** → **User Management** → **User Impersonation**. | ||
| . Select the user you want to impersonate. |
There was a problem hiding this comment.
For now it is asking the user to manually type the user's username that they want to impersonate in the newly poped up modal.
|
|
||
| [NOTE] | ||
| ==== | ||
| If you select a single group, the impersonation behavior matches the existing single-group impersonation mode. |
There was a problem hiding this comment.
This might not be accurate. If you start the impersonation from the kebab menu, you will have to enter the user's username that you are intending to impersonate. But the group field is optional.
One note about this feature is that If no groups are selected, it falls back to regular user impersonation.
3 participants
Version(s):
OpenShift Container Platform 4.21
Issue:
https://issues.redhat.com/browse/OSDOCS-17807
Related feature: https://issues.redhat.com/browse/CONSOLE-4734
Link to docs preview: