Role-based access control (RBAC) is an approach that restricts system access to resources based on user roles.
To leverage Kublr RBAC capabilities, an administrator is now able to create roles which could restrict the user from accessing specific resources. For example, a role can be created which allows the user to view and update clusters, but does not allow deleting them. Roles can be created in global scope (impacts all spaces) or space scope (impacts a specific space in which it is created).
Keycloak provides administrators with control over the users. To log in to your keycloak administrative screen, open an existing platform and follow the keycloak link.
Using Keycloak, an administrator can create new users and assign them into groups. Kublr creates two user groups for you: KublrDefaultUser and KublrFullAdmin. By default, every new user (not admin) is assigned to a group KublrDefaultUser. This means that every new user has a certain set of permissions assigned by default. User groups help put multiple users in the same category. An administrator is able to create more user groups if required. Using the user groups and Kublr RBAC an administrator is able to link restrictions to a group of users. For more information about keycloak click here.
To create an new user do the following:
In this screenshot, an administrator is able to view global roles and space roles. By default Kublr creates a standard set of roles for you. Those roles are: KublrFullAdmin, KublrDefaultUser, and KublrReadOnly.
Let’s create a space role which will allow a new user bob to view a space called new-space.
We can see our new role appear in the Space Roles section on the Roles page
Now that the role is created, we need to bind the user called bob with that role. This can be accomplished by using Role Bindings.
In order to link the user to a role, the admin has to create a role binding. Let’s create a Role Binding which will bind the user bob to a role called my-new-role
Now that we created a role binding the user called bob will be able to view new-space in his list of spaces. If we log out from the administrator account and log into the account of bob this is the picture we will observe.
Now, lets give the same user an ability to view, and create clusters. We can do that by adding another Policy Rule to the Role we created earlier. Log back in to the admin account and do the following:
There is no need to create a new Role Binding since the user is already bound to the created role.
Log in to the user bob to see that the new policy took effect.
In the similar fashion, an administrator can now be able to control all the resources that the user is able to see. To read more information about RBAC and all the possible resources click here.