Manage RBAC

Objective

This guide provides information on VoltConsole's Role-based Access Control (RBAC) and instructions on how to manage it. RBAC is used to define and enforce user capabilities while using the Volterra platform.


Roles and Privileges

Every user has one or more roles assigned and these roles are mapped to certain set of privileges. The privileges define what actions the user is allowed to perform. The privileges are identified by the API groups in Volterra and an API group defines which all actions (APIs) are allowed under it.

The Volterra RBAC consists of the following types of roles:

1. Default Roles The default roles are predefined in the system and cannot be changed or customised. You can use these roles in controlling the privileges or abilities of users. The following table lists out the list of default roles and the associated privileges:
Category Default Admin Network-Admin Developer Monitor Power-Developer Infra-Admin Billing UAM Developer-monitor
UAM Allow (CRUD) Allow (R) Allow (R) Allow (CRUD)
Infrastructure Allow (CRUD) Allow (R) Allow (R) Allow (CRUD)
Proxy Allow (CRUD) Allow (CRUD) Allow (CRUD) Allow (R) Allow (CRUD) Allow (R)
General Allow (CRUD) Allow (R) Allow (CRUD)
Proxy-Monitor Allow (CRUD) Allow (CRUD) Allow (CRUD) Allow (R) Allow (CRUD) Allow (R)
Network Allow (CRUD) Allow (CRUD) Allow (R) Allow (R)
Internal Allow (CRUD) Allow (R) Allow (R)
Proxy-security Allow (CRUD) Allow (CRUD) Allow (R) Allow (CRUD) Allow (R)
Infra-monitor Allow (CRUD) Allow (R) Allow (R)
Labels Allow (CRUD) Allow (CRUD) Allow (CRUD) Allow (R) Allow (CRUD) Allow (R)
Secrets Allow (CRUD) Allow (CRUD) Allow (CRUD) Allow (R) Allow (CRUD) Allow (R)
Monitor Allow (CRUD) Allow (CRUD) Allow (CRUD) Allow (R) Allow (CRUD) Allow (R)
IaaS/CaaS Allow (CRUD) Allow (CRUD) Allow (R) Allow (CRUD) Allow (R)
Virtual_sites Allow (CRUD) Allow (CRUD) Allow (CRUD) Allow (R) Allow (CRUD) Allow (R)
Proxy-WAF Allow (CRUD) Allow (CRUD) Allow (CRUD) Allow (R) Allow (CRUD) Allow (R)
Billing Allow (CRUD) Allow (R) Allow (R) Allow (CRUD)
Web-access Allow Allow Allow Allow Allow Allow Allow Allow Allow Allow
Support Allow (CRUD) Allow (R) Allow (CRUD)

Note: This table classifies API groups in terms of the Create, Read, Update, and Delete (CRUD) groups for simplicity. Each role name in Volterra platform is prefixed with ves-io string and suffixed with role string. For example, the default role is identified by the ves-io-default-role name.

2. Custom Roles

You can create roles and customise them by assigning one or more API groups. These roles can be assigned to users and can also be updated or removed as per the need.

Note: A user is required to have atleast one of the ves-io-monitor-role, ves-io-power-developer-role, ves-io-admin-role roles for a namespace to appear in the namespace dropdown in the VoltConsole.


Prerequisites

You must have a valid VES account. If you do not have an account, see Create a VES Account.


View RBAC Policy Rules and API Groups

You can view the predefined RBAC policy rules and the various API groups information from the VoltConsole.

Step 1: Log into the VoltConsole and view in-built policies.

From the system namespace, select IAM from the configuration menu. Select RBAC Policies->In-built Policy Rules from the options pane. Click > for any policy from the displayed list to view the policy information in JSON format.

inbuilt rbac
Figure: In-built RBAC Policy Rules

Note: The api_group_matcher field in the displayed information shows the API groups associated with the rule.

Step 2: View API groups.

Select API Groups from the options pane. Click > for any group from the displayed list to view the group information in JSON format.

apigroup json
Figure: API Group Information

Note: The elements field in the displayed information shows the APIs associated with the group.

Step 3: View the APIs associated with an API group.

Click Elements field against any API displayed in the list to view the APIs in another window.

apigrp list
Figure: API Group List

apigroup elements
Figure: API Group Elements


Create a Role

Perform the following to create a role and assign API groups to it:

Step 1: Navigate to role configuration and open a role creation form.

Log into the VoltConsole and from the system namespace, select IAM from the configuration menu. Select Roles from the options pane. Click ➕Roles to open role creation form.

nav roles
Figure: Navigate to Roles

Step 2: Select API groups for the role.

Set a name for the role and click Allowed API Groups. Select the API groups as per your choice and click Save to add the API groups to the role. This example creates a custom role infrawatcher with the ves-io-infra-monitor-read and ves-io-infra-monitor-write groups.

api groups
Figure: API Group Selection

Note: Click on the value under the Elements field to view the list of APIs that are part of the associated group.

Step 3: Complete role creation.

Click Save to create the role.

role conf
Figure: Role Configuration and Creation


Create a User and Assign Roles

You can configure SSO for your organization and assign roles to the users after they log into the VoltConsole or you can create users from the VoltConsole and assign roles. See Integrations for instructions on configuring SSO for your enterprise.

Perform the following to create a user from the VoltConsole and assign roles to the user:

Step 1: Navigate to user management and open user creation form.

Log into the VoltConsole and from the system namespace, select IAM from the configuration menu. Select Users from the options pane. Click ➕Users to open user creation form.

Step 2: Enter basic configuration and assign roles to the user.

Enter the email address of the user in the Email field. Enter the first name and last name of the user and click Assign roles and namespaces. Add the roles and namespaces as per the following guidelines:

  • Select a namespace or all application namespaces for the Namespace field.
  • Optionally, select the Make Admin checkbox to enable administrator role for the namespace.
  • Select a role from the drop-down list in the Role field. Click Add another role to add more roles.
  • Click Add roles to apply roles to the user.

user roles
Figure: Add Roles and Namespaces

Step 3: Complete user creation.

Click Add user to create the user.

user create
Figure: Create User


Concepts