Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

doc: Design admin control over non admin specs #45

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

doc: Design admin control over non admin specs #45

wants to merge 1 commit into from

Conversation

mateusoliveira43
Copy link
Contributor

Why the changes were made

Create design for adding new feature that was request by users.

Related to #33
Related to #37
Blocked by #44

How the changes were made

Studied possibilities of how to add new feature into NAC.

How to test the changes made

Read design and see if it is clear.

@mateusoliveira43
doc: Design admin control over non admin specs
8d905fe 
Signed-off-by: Mateus Oliveira <msouzaol@redhat.com>
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Apr 15, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Apr 15, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mateusoliveira43

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

mateusoliveira43
mateusoliveira43 commented Apr 15, 2024
View reviewed changes
docs/admin_control_specs.md
## Non-Goals

- Remove restricted specs or show their custom default values in NonAdminBackup/NonAdminRestore (non admin users can still create NonAdminBackup/NonAdminRestore with restricted specs, but they will be simply not reconciled by NAC, with an error explaining why)
- Allow admin users to restrict second level specs (for example, `labelSelector` can be restricted, but not `labelSelector.matchLabels`)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this ok?

mateusoliveira43
mateusoliveira43 commented Apr 15, 2024
View reviewed changes
docs/admin_control_specs.md

## Goals

- Enable admin users to restrict which NonAdminBackup/NonAdminRestore specs non admin users can use, and set custom default values to these specs
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was thinking about having 2 options:

  • just restrict
  • restrict and have custom default value

Thinking about implementation, having just estrict and have custom default value seems easier to implement. Is this ok?

mateusoliveira43
mateusoliveira43 commented Apr 15, 2024
View reviewed changes
docs/admin_control_specs.md

## Background

Non Admin Controller (NAC) adds the ability to admin users restrict the use of OADP operator for non admin users, by only allowing them to create backup/restores from their namespaces with NonAdminBackup/NonAdminRestore. Admin users may want to further restrict non admin users operations, like forcing a specific NonAdminBackup type. This design enables admin users to restrict which NonAdminBackup/NonAdminRestore specs will be open for non admin users and set custom default values for these specs.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need control over restores or just backups is enough?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
approved do-not-merge/work-in-progress
Projects
OADP
Status: In Progress
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mateusoliveira43