...
The following sections outline the basic steps and provide examples on how to configure various components of RBAC.
Change default policy; applies to KloudFuse releases before 2.7.2.
Apply changes; applies to KloudFuse releases before 2.7.2.Default User Role
To review general concepts, see Role-Based Access Control (RBAC).
Enable RBAC
To enable RBAC, add the following code to the <custom_values.yaml> file:
...
Line #
...
Code
...
Description
...
3
...
RBACEnabled: true
The default RBAC policy is a fully-enabled RBAC, with full access.
To
...
4
...
rbacDefaultUserRole: Editor
enable RBAC, add the following code to the <custom_values.yaml> file:
RBACEnabled: true
Default User Role
The default user role for new users in
...
Kloudfuse is Editor.
rbacDefaultUserRole: Editor
Admins can change this setting in the UI for individual users.
...
See Assign Roles.
To change the default assignment for new users to Viewer, use rbacDefaultUserRole: Viewer in the values.yaml file instead.
| Code Block |
|---|
global:
...
RBACEnabled: true
rbacDefaultUserRole: Editor |
Policy Configuration
| Note |
|---|
Starting with Release 2.7.2, KloudFuse DOES NOT SUPPORT policy configuration at script level. |
Use following template, make changes in the <custom_values.yaml>
...
Default Policy
Users who do not have a Policy assigned through the UI get a default level of access, depending on their Role:
Admins
default_rbac_policy:
...
rbac_allow_all
...
Change default policy
| Note |
|---|
Starting with Release 2.7.2, KloudFuse DOES NOT SUPPORT policy configuration at script level. |
When RBAC is enabled, default policy allows full access. Add following to your <custom_values.yaml> to use your custom policy or remove the default policy of full access to no access.
Example: Default policy to disallow all capabilities
Note: Using “scope_allow_none” as the default policy will ensure that logged in user doesn’t have any capabilities (view data or take actions) in the system. It doesn’t restrict the user from logging in to Kloudfuse system.
| Code Block |
|---|
user-mgmt-service:
config:
# # - in built scope types:
# # Kloudfuse has following inbuilt RBAC policies
# # rbac_allow_all - this policy grants admin like access (View + Edit capabilities for all data scope/workflows).
# # rbac_allow_none - this policy denies all capabilities (No data view, No edit workflow capabilities)
# # rbac_view_all - this policy grants viewer access to all data, no edit workflow capabilities.
# #
default_rbac_policy: rbac_allow_none |
Example: Default policy to provide custom scope
The following example uses a custom policy called rbac_viewer_target_namespace as the default policy. Please see here to learn more about policy definition.
| Code Block |
|---|
user-mgmt-service:
config:
# # - in built scope types:
# # scope_allow_all -- this policy grants admin like access
# # scope_viewer_all -- this policy grants viewer access
# # scope_allow_none -- this policy denies all capabilities
# #
default_rbac_policy: rbac_viewer_target_namespace |
Apply changes
| Note |
|---|
Starting with Release 2.7.2, KloudFuse DOES NOT SUPPORT policy configuration at script level. |
...
Editors
default_rbac_policy: rbac_allow_allViewers
default_rbac_policy: rbac_allow_all
To change the default policy for the various roles, change the default_rbac_policy in the values.yaml file.
See Change a Policy to set the policy in the UI.