TIBCO ModelOps Install on Azure with limited use of the Owner role

TIBCO ModelOps Install on Azure with limited use of the Owner role

book

Article ID: KB0072232

calendar_today

Updated On:

Products Versions
TIBCO ModelOps 1.1

Description

Installing ModelOps 1.1, the acrpush/acrpull permissions do not work, so the only alternative is to assign the ModelOps application the Owner role. This weakens security. Is there a way to install and run ModelOps without the Owner role for the application?

Issue/Introduction

Installation requires the application to have Owner role only for the 'az aks create' command.

Environment

Microsoft Azure AKS

Resolution

The duration of the ModelOps application requiring the Owner role is limited to the installation period.

Without Owner role for the application, the following command fails with this error: 
> az aks create  --resource-group tibcomodelops  --service-principal ******  --client-secret ******  --name tibcomodelops  --max-pods 200  --node-count 1  --enable-cluster-autoscaler  --min-count 1  --max-count 5  --no-ssh-key   --windows-admin-password ****** --windows-admin-username *****  --vm-set-type VirtualMachineScaleSets  --node-vm-size Standard_B8ms   --network-plugin azure  --attach-acr tibcomodelops  --output table

Waiting for AAD role to propagate[#####    ]  90.0000%Could not create a role assignment for ACR. Are you an Owner on this subscription?

Refer to documentation page:
  TIBCO ModelOps Documentation:AKS Installation
 
When registering the application at step:
  REGISTER THE APPLICATION, OBTAIN REQUIRED SERVICE PRINCIPAL AND CLIENT SECRET
assign the Owner role to avoid the problem with acrpush and acrpull permissions. The Azure Owner role is needed only for the duration of the 'az aks create' command after which the application role may be set to Contributor. ModelOps will then run correctly with only Contributor permissions. 
Powered by Wolken Software