clarify separation of batch vs admin roles #4229
Conversation
Signed-off-by: Scott Kurz <skurz@us.ibm.com>
There was a problem hiding this comment.
Hi @scottkurz thanks for opening this- can you retarget it to draft? We'll need to stage it there and then on staging before the change goes to vNext.
As to your question re linking to IBM docs- we don't generally link from OL to KC/IBM Docs. I think it's ok to do so temporarily in this case if that's the only source for more information.
A better long term solution is to develop a Java batch topic for the OL docs that covers all aspects of the KC info that are relevant to Open Liberty users. If you wouldn't mind opening an issue on the docs backlog to help us understand what topics/info from IBM docs would make sense in an OL Java batch topic, I can get it prioritized and work up a draft. Let me know what you think. Thanks!
| <user name="batchadmin"/> | ||
| </security-role> | ||
| </authorization-roles> | ||
| ---- |
There was a problem hiding this comment.
also want to clarify- even a user in the reader role can edit batch jobs if they have the proper com.ibm.ws.batch auth? I thought that reader role gave you read-only access to the Admin center tools- is that not the case with Java Batch?
There was a problem hiding this comment.
Yeah, this was exactly the nuance I was trying to illustrate. I think it makes sense to basically defer to batch's custom auth here but let me also tag @mbroz2 to clarify if this is truly the intended design.
There was a problem hiding this comment.
reader-role is not an Admin Center concept, but rather a Liberty one (aka, it's applied to all (well almost all) APIs, including Admin Center ones, unless the API uses their own set of authorization, like batch).
I would expect a user to be be able to have the 'reader' role and the 'batchAdmin' role, allowing them to view all the tools in admin center, but also perform batch admin job operations in the java batch tool.... but that's only true if no other/non-java-batch APIs are called that would do anything other then a GET operation (except for the Admin Center user preferences API, which is allowed to do POST/PUT/DELETE for reader role). I'm guessing there aren't, but @kinueng or @k8vance88 could confirm. One way to test this would be to just run the Admin Center Java Batch FAT tests, and change the user's role from (what I'm guessing is) admin to reader.
Of course the cheapest route is to simply change the example to asign the batchadmin user to the admin role instead of the reader role :)
There was a problem hiding this comment.
Thx @mbroz2. Yeah, if we just want the sample snippet to help a single developer copy/paste working config we probably just want to use the admin role. I don't think you need 'admin' for anything purely batch related but it can be useful e.g. for ibm/api/validation.
I was trying to capture the angle "what is the minimum auth required?" for users trying to use the roles in a fine-grained manner.
Maybe a good compromise would be to show the sample snippet with admin role but mention in a sentence that you can use reader-role for batch operations.
Hmm...the challenge is it's potentially all of them https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-deploying-java-batch-applications-in I imagine we don't want literally of that but not sure where to start. Shall I open an issue at least to start the conversation? |
yes please! We can start there and determine what we need and dont need, or if the organization/format would benefit from revision. I tend to think we'd be better off with one or two longer, well organized topics with internal anchor links vs a bunch of short topics as it is in KC |
Opened #4231 |
|
Signed-off-by: Scott Kurz <skurz@us.ibm.com>
modules/ROOT/pages/admin-center.adoc
Outdated
| </security-role> | ||
| </authorization-roles> | ||
| ---- | ||
|
|
||
| could use the Java Batch tool to view and operate on any and all jobs (as 'batchAdmin') but a user with just 'administrator-role' access might require one of the 'com.ibm.ws.batch' custom roles in order to even view any jobs at all (they are not automatically a 'batch-admin'). | ||
| With this configuration, the user has authorization to view and manage any configured Java batch jobs. The `batchAdmin` authority could be combined with a more fine-grained, restrictive management authority by only granting 'wanda' the `reader-role` management role, which would still allow access to the Admin Center Java Batch tool. |
There was a problem hiding this comment.
suggested edit:
With this configuration, the user has authorization to view and manage any configured Java batch jobs.
The batchAdmin authority can also be combined with a more restrictive management authority by granting 'wanda' the reader-role management role. This combination still allows full access to the Java Batch tool but provides read-only access to other Admin Center resources.
There was a problem hiding this comment.
personally, I would change
"The batchAdmin authority can also be combined with a more restrictive management authority by granting 'wanda' the reader-role management role."
to
"The batchAdmin role can also be combined with a more restrictive Liberty management role by assigning 'wanda' to reader-role"
as I think that reads easier and avoids 'authority'
There was a problem hiding this comment.
Thanks this wording didn't come easy to me so appreciate the input. I combined the comments and pushed up take # 3.
Signed-off-by: Scott Kurz <skurz@us.ibm.com>
Signed-off-by: Scott Kurz skurz@us.ibm.com
Sorry I didn't catch this new article before the initial effort and am only commenting now.
@dmuelle is it OK to link to the WL KCtr (whatever it's called now) from the OL doc?
If so, I might reference: https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-securing-batch-environment
Note the first two changes here removed a non-display char that I assume was added by mistake.