Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Current »

Role-Based Data Access

As part of RBAC implementation, a user can also achieve role based data access (view). To achieve this,

kloudfuse can be configured with Groups having assigned RBAC Policy (role and the associated view/scope) and together they define the RBAC Configuration of the system. To configure the system correctly please go through the following definitions.

Group

A group is set of users (a team) who share same RBAC configuration. In other words, share the same role and scope.

    # Group name
    - name: group_editor_otel_namespace
    # List of users
      users:
      - id_key: X-Auth-Request-Email
        value: user@company.com
      - id_key: X-Auth-Request-User
        value: 123456789
User

A user is defined by a user id value. For example an email address. Kloudfuse RBAC uses the information obtained from the configured IAM during the login process. See following example of some user valid configurations.

      - id_key: X-Auth-Request-Email
        value: user@company.com

kfuse uses id keys by default. Other id keys can be added as well.

RBAC Policy

An RBAC policy is defined by a role (one of the "admin"/"editor"/"viewer") and a scope assigned to that role.

Example policy: Viewer role for a custom scope.
    # policy name
    - name: rbac_viewer_target_namespace
      # Role (one of admin/viewer/editor)
      role: viewer 
      # Custom scope giving access to data generated from kube_namespace called "target" 
      scope:
        filters:
        - key: kube_namespace
          op: =
          value: target
        type: custom
Example policy: Admin for all.
    # policy name
    - name: rbac_admin_all
      # Role (one of admin/viewer/editor)
      role: admin
      # using inbuilt scope "all"
      scope:
        type: all
Example policy: Viewer role for a custom scope with regular expression in filter.
    # policy name
    - name: rbac_viewer_target_namespace
      # Role (one of admin/viewer/editor)
      role: viewer 
      # Custom scope giving access to data generated from kube_namespace called "target" 
      scope:
        filters:
        - key: kube_namespace
          op: =~
          value: dev-.*
        type: custom

Scope

A scope defines what data a given user has access to. Kloudfuse platform has following inbuilt (reserved) access types.

Type: scope_allow_all

This scope allows access to all data. Typically used for users with "Admin" capabilities.

Type: scope_allow_none

Fully restricted. User will not be allowed any access.

Type: scope_viewer_all

Only read access to all data. Typically used for support operators who only needs to visualize and wouldn’t be making configuration changes.

Type: custom

Custom scopes can be used to provided limited access to data. For a scope to match all filters should match. Each filter is defined by a key, an operator (=, ~=, =~, !~) and value to match. For example, following custom scope is defining a filter which matches data such that kube_namespace="target":

      scope:
        type: custom
        filters:
        - key: kube_namespace
          op: =
          value: target

RBAC Configuration

An RBAC configuration ties a given group to a given RBAC policy. Many such configurations can be configured in kfuse.

    rbac_configs:
    - group: group_editor_otel_namespace
      policy: rbac_editor_otel_namespace
    - group: group_viewer_target_namespace
      policy: rbac_viewer_target_namespace

 

  • No labels