sub user account running sdc-docker-setup script

[cmosetick]

I wanted to start a discussion on using triton/docker containers with a Joyent subuser account.

I'm not sure if I should file this report against sdc-docker repo or here at sdc-cloudapi.

As an FYI - I've also read this section of the Triton FAQ:
Does Triton support RBAC?
Yes, on an account level basis. We are evaluating how to best extend RBAC to sub-account users, given current limitations of the Docker API.

I'm guessing the above means, the "owner account" is the only place that triton/docker containers can run right now.

I've created a subuser account using the documentation for creating an administrator role and added a user to it:
sdc-role create --name=administrator

sdc-user create --login=cmosetick/testadmin --password=MyPasswd --email=hello@mydomain.com

sdc-role update 9a7e4afa-2946-4a4b-8805-4e5e36240c77 --members=testadmin --default-members=testadmin

I also added a ssh key to the testadmin subuser account, and confirmed that it is there in the web GUI.

I've added the testadmin ssh key to my ssh-agent session.

IMO, there is no way the output of this error message could be accurate:

bash ./sdc-docker-setup.sh -k us-east-3b.api.joyent.com cmosetick/testadmin ~/.ssh/testadmin-joyent                                                   1 ↵
Setting up Docker client for SDC using:
   CloudAPI:        https://us-east-3b.api.joyent.com
   Account:         cmosetick/testadmin
   Key:             /Users/chris/.ssh/testadmin-joyent

If you have a pass phrase on your key, the openssl command will
prompt you for your pass phrase now and again later.

Verifying CloudAPI access.

* * *
sdc-docker-setup.sh: fatal error: invalid credentials
   You must add create the 'cmosetick/testadmin' account and/or add your SSH
   public key (/Users/chris/.ssh/testadmin-joyent.pub) to the
   given SmartDataCenter.

Since the administrator role is supposed to be a 'special admin role', IMO, the setup script should work, or at the very least, a more meaningful error message should be returned to a subuser running the setup script. I do also want to note here that the "Docker" section of my.joyent.com web GUI is missing from this sub users account, which again, is outlined in the current Triton FAQ.

I think adding a special "triton" or "docker" role to the sdc-cloudapi would be a straight forward path to allowing subusers to create containers. Allowing the account owner to specify a corresponding policy with a hard limit of max number of containers, max amount of disk space for all containers would be the most logical start for this.

FYI the ssh key in my test is actually associated with the sub user account as far as I can tell, which would leave the sdc-cloudapi or the Docker API as the hurdle to allowing this to work.

Let me know how I can help out with this.

[jamesabbottsmith]

I too am having difficulty working this out. Subusers appear to be unsupported for the Docker components at this stage. Whilst I think it would be super helpful to be able to set this up properly, it would be better to atleast say where its up to somewhere. Maybe here - https://docs.joyent.com/public-cloud/rbac/rules#cloudapiactions

[tgross]

This idea is being covered under RFD13 for RBACv2. @arekinath does it make sense to keep this issue open or should we close this issue in lieu of RFD13?