Kublr RBAC UI

Role-based access control (RBAC) is an approach that restricts system access to resources based on user roles.

Overview

Using RBAC, an administrator is now able to create roles which could restrict the user from accessing specific resources. For example, a role can be created which allows the user to view and update clusters, but does not allow deleting them. Roles can be created in global scope (impacts all spaces) or space scope (impacts a specific space in which it is created).

Keycloak

Keycloak provides administrators with control over the users. To log in to your keycloak administrative screen, open an existing platform and follow the keycloak link. Open Keycloak Screen

Using Keycloak, an administrator can create new users and assign them into groups. Kublr creates two user groups for you: KublrDefaultUser and KublrFullAdmin. By default, every new user (not admin) is assigned to a group KublrDefaultUser. This means that every new user has a certain set of permissions assigned by default. User groups help put multiple users in the same category. An administrator is able to create more user groups if required. Using the user groups and Kublr RBAC an administrator is able to link restrictions to a group of users. For more information about keycloak click here.

To create an new user do the following:

  1. Click on Keycloak Users Button in the left navigation menu.
  2. Click ok Add User button. Keycloak Add User
  3. Fill out the form and click Save to create a new user.
  4. After the user is created you can view the groups the user is assigned to by navigating to Groups tab. Keycloak User Groups

Roles

In this screenshot, an administrator is able to view global roles and space roles. By default Kublr creates a standard set of roles for you. Those roles are: KublrFullAdmin, KublrDefaultUser, and KublrReadOnly. Admin's Roles Screen

Let’s create a space role which will allow a new user bob to view a space called new-space.

  1. Click on Add New Role Button at the top right of the screen. A dialog will appear which will allow you to specify the permissions of the role.
  2. At the top of the dialog, select Space Role Radio Button.
  3. Enter my-new-role for the name.
  4. In the Policy Rules 1 section, let’s add a resource called space by pressing a plus sign and entering space in the input window. Resource Input
  5. The Verbs specify what kind of permissions you would like to give the user for the resource space. In our case, let’s only give the user an ability to view the space but not to update or delete it. We can do this by selecting the verbs List and Get. Verbs
  6. After all the step are completed your dialog should look like this: Role Dialog
  7. Press the Create Button button at the lower right in order to create the role.

We can see our new role appear in the Space Roles section on the Roles page Saved Role

Now that the role is created, we need to bind the user called bob with that role. This can be accomplished by using Role Bindings.

Role Bindings

In order to link the user to a role, the admin has to create a role binding. Let’s create a Role Binding which will bind the user bob to a role called my-new-role

  1. Click the Add Binding Button to the right of the my-new-role in the Space Roles section. This will open a Role Binding Creation Dialog.
  2. In the dialog let’s give the role binding a name my-new-role-binding
  3. In the subject section, make sure that the subject is set to User since the binding we are creating are for a single user and not for a group of users. Subject Selector
  4. As for the input area to the right of the subject, enter the name of the user we want to bind to our role. In our case, the name is bob. Subject Input
  5. Click the Add Subject Button button in order to add a user to a binding.
  6. At this point, your dialog should look like this: Add Binding Dialog
  7. Click the Save Binding Button at the lower right in order to create a role binding.

Now that we created a role binding the user called bob will be able to view new-space in his list of spaces. If we log out from the administrator account and log into the account of bob this is the picture we will observe. User Screen

Now, lets give the same user an ability to view, and create clusters. We can do that by adding another Policy Rule to the Role we created earlier. Log back in to the admin account and do the following:

  1. To the right of my-new-role click the Edit Role Button button.
  2. Click the Add Policy Rule Button to add another Policy Rule.
  3. In the new policy rule, enter cluster and cluster/id for Resources, and select List, Get, and Post for Verbs. List, Get will grant the user access to view all clusters, while Post will grant permission to create clusters. Policy Rule Screenshot
  4. Click Update Role Button in order to update the rule and apply the new policy.

There is no need to create a new Role Binding since the user is already bound to the created role.

Log in to the user bob to see that the new policy took effect. Updated User Screen

In the similar fashion, an administrator can now be able to control all the resources that the user is able to see. To read more information about RBAC and all the possible resources click here.


Questions? Suggestions? Need help? Contact us.