openshift-docs/modules/olmv1-granting-user-access-binding.adoc

// Module included in the following assemblies:
//
// * extensions/ce/user-access-resources.adoc

:_mod-docs-content-type: PROCEDURE

[id="olmv1-granting-user-access-binding_{context}"]
= Granting user access to extension resources by using custom role bindings

As a cluster administrator, you can manually create and configure role-based access control (RBAC) policies to grant user access to extension resources by using custom role bindings.

.Prerequisites

* A cluster extension has been installed on your cluster.
* You have a list of API groups and resource names, as described in "Finding API groups and resources exposed by a cluster extension".

.Procedure

. If the installed cluster extension does not provide default cluster roles, manually create one or more roles:

.. Consider the use cases for the set of roles described in "Common default cluster roles for users".
+
For example, create one or more of the following `ClusterRole` object definitions, replacing `<cluster_extension_api_group>` and `<cluster_extension_custom_resource>` with the actual API group and resource names provided by the installed cluster extension:
+
.Example `view-custom-resource.yaml` file
[source,yaml]
----
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: view-custom-resource
rules:
- apiGroups:
  - <cluster_extension_api_group>
  resources:
  - <cluster_extension_custom_resources>
  verbs:
  - get
  - list
  - watch
----
+
.Example `edit-custom-resource.yaml` file
[source,yaml]
----
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: edit-custom-resource
rules:
- apiGroups:
  - <cluster_extension_api_group>
  resources:
  - <cluster_extension_custom_resources>
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete 
----
+
.Example `admin-custom-resource.yaml` file
[source,yaml]
----
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: admin-custom-resource
rules:
- apiGroups:
  - <cluster_extension_api_group>
  resources:
  - <cluster_extension_custom_resources>
  verbs:
  - '*' <1>
----
<1> Setting a wildcard (`*`) in `verbs` allows all actions on the specified resources.

.. Create the cluster roles by running the following command for any YAML files you created:
+
[source,terminal]
----
$ oc create -f <filename>.yaml
----

. Associate a cluster role to specific users or groups to grant them the necessary permissions for the resource by binding the cluster roles to individual user or group names:

.. Create an object definition for either a _cluster role binding_ to grant access across all namespaces or a _role binding_ to grant access within a specific namespace:
+
--
*** The following example cluster role bindings grant read-only `view` access to the custom resource across all namespaces:
+
.Example `ClusterRoleBinding` object for a user
[source,yaml]
----
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: view-custom-resource-binding
subjects:
- kind: User
  name: <user_name>
roleRef:
  kind: ClusterRole
  name: view-custom-resource
  apiGroup: rbac.authorization.k8s.io
----
+
.Example `ClusterRoleBinding` object for a user
[source,yaml]
----
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: view-custom-resource-binding
subjects:
- kind: Group
  name: <group_name>
roleRef:
  kind: ClusterRole
  name: view-custom-resource
  apiGroup: rbac.authorization.k8s.io
----
 
*** The following role binding restricts `edit` permissions to a specific namespace:
+
.Example `RoleBinding` object for a user
[source,yaml]
----
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: edit-custom-resource-edit-binding
  namespace: <namespace>
subjects:
- kind: User
  name: <username>
roleRef:
  kind: Role
  name: custom-resource-edit
  apiGroup: rbac.authorization.k8s.io
----
--

.. Save your object definition to a YAML file.

.. Create the object by running the following command:
+
[source,terminal]
----
$ oc create -f <filename>.yaml
----