Versions Compared

Old Version 1

changes.mady.by.user Roza Leyderman

Saved on

compared with

New Version 2

changes.mady.by.user Roza Leyderman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Role-Based Data Access

As part of RBAC implementation, a user can also achieve role based data access (view). To achieve this,

kloudfuse can be configured with Groups having assigned RBAC Policy (role and the associated view/scope) and together they define the RBAC Configuration of the system. To configure the system correctly please go through the following definitions.

Group

A group is set of users (a team) who share same RBAC configuration. In other words, share the same role and scope.

Code Block
    # Group name
    - name: group_editor_otel_namespace
    # List of users
      users:
      - id_key: X-Auth-Request-Email
        value: user@company.com
      - id_key: X-Auth-Request-User
        value: 123456789
User

A user is defined by a user id value. For example an email address. Kloudfuse RBAC uses the information obtained from the configured IAM during the login process. See following example of some user valid configurations.

...

kfuse uses id keys by default. Other id keys can be added as well.

RBAC Policy

An RBAC policy is defined by a role (one of the "admin"/"editor"/"viewer") and a scope assigned to that role.

Example policy: Viewer role for a custom scope.
Code Block
    # policy name
    - name: rbac_viewer_target_namespace
      # Role (one of admin/viewer/editor)
      role: viewer 
      # Custom scope giving access to data generated from kube_namespace called "target" 
      scope:
        filters:
        - key: kube_namespace
          op: =
          value: target
        type: custom
Example policy: Admin for all.
Code Block
    # policy name
    - name: rbac_admin_all
      # Role (one of admin/viewer/editor)
      role: admin
      # using inbuilt scope "all"
      scope:
        type: all
Example policy: Viewer role for a custom scope with regular expression in filter.
Code Block
    # policy name
    - name: rbac_viewer_target_namespace
      # Role (one of admin/viewer/editor)
      role: viewer 
      # Custom scope giving access to data generated from kube_namespace called "target" 
      scope:
        filters:
        - key: kube_namespace
          op: =~
          value: dev-.*
        type: custom

Scope

A scope defines what data a given user has access to. Kloudfuse platform has following inbuilt (reserved) access types.

Type: scope_allow_all

This scope allows access to all data. Typically used for users with "Admin" capabilities.

Type: scope_allow_none

Fully restricted. User will not be allowed any access.

Type: scope_viewer_all

Only read access to all data. Typically used for support operators who only needs to visualize and wouldn’t be making configuration changes.

Type: custom

Custom scopes can be used to provided limited access to data. For a scope to match all filters should match. Each filter is defined by a key, an operator (=, ~=, =~, !~) and value to match. For example, following custom scope is defining a filter which matches data such that kube_namespace="target":

Code Block
      scope:
        type: custom
        filters:
        - key: kube_namespace
          op: =
          value: target

RBAC Configuration

An RBAC configuration ties a given group to a given RBAC policy. Many such configurations can be configured in kfuse.

...