Hi,
We’re running OD v3.3.6 and I wonder what type of permission is needed to do an upgrade of Calamari on a newly installed node. The user has the following rights regarding environments:
EnvironmentCreate
EnvironmentDelete
EnvironmentEdit
EnvironmentView
Shouldn’t this be enough to do an upgrade as the user has the permission to create the environment/node in the first place?
Brgds
Jonas
Hi Jonas,
Thanks for getting in touch!
The user needs the TaskCreate as this is how Calamari is updated on a machine.
Hope that helps!
Thank you,
Henrik
Hi,
Thanks for your answer. The user has the following Task-permissions already:
TaskCancel
TaskCreate
TaskView
TaskViewLog
When he tries to do the update, the following is shown:
“The user ‘xxx@yyy.zzz’ must be a member of the Octopus Administrators group to perform this action”
Brgds
Jonas
Hi,
Thanks for your answer. The user has the following Task-permissions already:
TaskCancel
TaskCreate
TaskView
TaskViewLog
When he tries to do the update, the following is shown:
[cid:image001.jpg@01D24B0A.9A1E2A30]
Brgds
Jonas
Hi Jonas,
My apologies, I missed an additional permissions check that requires that to update Calamari on a machine the user has to be an Octopus administrator (the AdministerSystem permission).
Again, my apologies for missing this in my initial investigations and reply.
Thank you and best regards,
Henrik
Hi,
But isn’t that kind of strange that you need to be an administrator to update a calamari version but not to create a new environment? I don’t like the idea to give all developers administrative rights just to be able to upgrade a tentacle they just installed.
Brgds
Jonas
Hi Jonas,
Yes, I can understand it seems a bit strange, and I’m not sure why the decision was made to have it implemented that way and if it is something we’re going to change.
In the meantime, if the developer does a deployment Calamari will be updated on the machines that are running outdated Calamari version…
Thanks,
Henrik
Hi,
Ok, so you can actually do the update by doing a deploy instead. We will try this for now to know if it’s a workable way for us.
Brgds
Jonas
Thank you for allowing me to join this discussion.
I too encountered a similar problem, and I am also using OD 3.3.6. We went as far a creating a new user role based on System Administrator but with rights to specific environments and projects. It has the Task Create enabled, but we also find this user role is not sufficient to promote the Calamari update. Only “Octopus Administrators” seem to have this ability.
I understand that we can always just ‘deploy’ and the update will take place, but we’ve also seen this add several minutes to the deployment (which should have been about 30 seconds), causing stress and concern during a deployment. It would be better for us if we could do these updates when not doing a deployment, but it’s limited to a small subset of the staff.
Any chance anyone other than a system wide Octopus Administrator will have these rights in an upcoming release?
Hi Andrew,
Currently we have no plans on changing this.
Thank you,
Henrik
