permissions from coldfront OCP do not appear to carry over to RHOAI workbooks, ID behaviour, correct behaviour and how to fix

[msdisme]

@DanNiESh: It appears that a number or RHOAI workbooks got created. The permissions to clean these up according to these instructions: https://nerc-project.github.io/nerc-docs/openshift/decommission/decommission-openshift-resources/#delete-all-workbenches do not work for msd@bu.edu though I am a manager (and in fact the creator) of the projects in coldfront.

• identify what the behaviour is in terms of coldfont manager permissions for RHOAI
• identify what the behavior should be and write appropriate story to get it captured and implemented
• grant msd@bu.edu permission to delete the workbenches

List of RHOAI projects to clean up (must be done before OpenShift are cleaned up):

Name	Workbench	Status	Created
DS async-batch-cloud-llms-a7f19f	-	-	9/27/2024, 5:03:41 PM
DS automation-snowflake-harness-0e77a2	-	-	9/27/2024, 5:03:31 PM
DS automation-snowflake-harness-1ad4c3	-	-	9/27/2024, 5:03:15 PM
DS autopilot-dashboard-f3dc9e	-	-	9/27/2024, 5:04:09 PM
DS container-native-fs-interposer-36a707	-	-	9/27/2024, 5:04:19 PM
DS github-bot-kata-ci-96dd36	-	-	9/27/2024, 5:03:06 PM
DS hybrid-tx-analytical-epoxy-31f481	-	-	11/15/2024, 12:09:31 PM

List of OpenShift projects to cleanup:

ID Sort ID asc Sort ID desc	Project	PI Sort PI asc Sort PI desc	Resource Name Sort Resource Name asc Sort Resource Name desc	Status Sort Status asc Sort Status desc	End Date Sort End Date asc Sort End Date desc
587	github-bot-kata-ci	Ata Turk (ataturk@bu.edu)	NERC-OCP (OpenShift)	Active	Sept. 27, 2025
589	async-batch-cloud-llms	Ata Turk (ataturk@bu.edu)	NERC-OCP (OpenShift)	Active	Sept. 27, 2025
590	async-batch-cloud-llms	Ata Turk (ataturk@bu.edu)	NERC-OCP (OpenShift)	Denied	None
592	autopilot-dashboard	Ata Turk (ataturk@bu.edu)	NERC-OCP (OpenShift)	Active	Sept. 27, 2025
593	container-native-fs-interposer	Ata Turk (ataturk@bu.edu)	NERC-OCP (OpenShift)	Active	Sept. 27, 2025
594	automation-snowflake-harness	Ata Turk (ataturk@bu.edu)	NERC-OCP (OpenShift)	Active	Sept. 27, 2025
595	automation-snowflake-harness	Ata Turk (ataturk@bu.edu)	NERC-OCP (OpenShift)	Expired	Sept. 27, 2025
607	hybrid-tx-analytical-epoxy	Ata Turk (ataturk@bu.edu)	NERC-OCP (OpenShift)	Active	Nov. 15, 2025

[DanNiESh]

From my investigation, the manager permission in coldfront is mapped to the edit rolebinding in the project in openshift, same as the non-manager users in the coldfront projects. Coldfront managers has the same level of access to RHOAI/OpenShift as non-manager users, which allows you to delete/shutdown workbenches inside the project. I think coldfront managers should have more granular rolebindings to differentiate them from regular users.

I don't see there are any workbenches left in these DS projects. Can you share the screenshot of the permission error during deletion? I'll be back next Monday and will take a closer look.

[msdisme]

Cleanup OpenShift for Classes - this is from 12-27-2024. @DanNiESh I will reproduce again before you get back)

1. install Openshift CLI (get token good for 24 hours)
2. Check if any have RHOAI projects
3. (did this screen shot 2025-01-09 without token)

• Documentation says delete workbenches. I am only offered delete project which shows:
  
  @Milstein is it correct that I am not offered workbench, rather project in the above UI?
  Attempt to delete gives error:
  

[DanNiESh]

Only system admin can delete project. If you use CLI, run oc delete project <project_name> --as system:admin

[msdisme]

ahh, well, I don't think I have those permissions. @Milstein how would you like to proceed? @DanNiESh if I had created those workbenches without system:admin would I be able to delete them?

[DanNiESh]

Yes, you would be able to delete workbenches without system:admin. But deleting projects needs a cluster admin level permission.