Roles

Objective

This guide provides information on VoltConsole's Role-based Access Control (RBAC) and instructions on how to manage it. RBAC is used to define and enforce user capabilities while using the Volterra platform.


Roles and Privileges

Every user has one or more roles assigned and these roles are mapped to certain set of privileges. The privileges define what actions the user is allowed to perform. The privileges are identified by the API groups in Volterra and an API group defines which all actions (APIs) are allowed under it.

The Volterra RBAC consists of the following types of roles:

1. Default Roles The default roles are predefined in the system and cannot be changed or customised. You can use these roles in controlling the privileges or abilities of users. The following table lists out the list of default roles and the associated privileges:
Category Default Admin Monitor Power-Developer
UAM Allow (CRUD) Allow (R) Allow (R)
Infrastructure Allow (CRUD) Allow (R) Allow (R)
Proxy Allow (CRUD) Allow (R) Allow (CRUD)
General Allow (CRUD) Allow (R) Allow (CRUD)
Proxy-Monitor Allow (CRUD) Allow (R) Allow (CRUD)
Network Allow (CRUD) Allow (R) Allow (R)
Internal Allow (CRUD) Allow (R) Allow (R)
Proxy-security Allow (CRUD) Allow (R) Allow (CRUD)
Infra-monitor Allow (CRUD) Allow (R) Allow (R)
Labels Allow (CRUD) Allow (R) Allow (CRUD)
Secrets Allow (CRUD) Allow (R) Allow (CRUD)
Monitor Allow (CRUD) Allow (R) Allow (CRUD)
IaaS/CaaS Allow (CRUD) Allow (R) Allow (CRUD)
Virtual_sites Allow (CRUD) Allow (R) Allow (CRUD)
Proxy-WAF Allow (CRUD) Allow (R) Allow (CRUD)
Billing Allow (CRUD) Allow (R) Allow (R)
Web-access Allow Allow Allow Allow

Note: This table classifies API groups in terms of the Create, Read, Update, and Delete (CRUD) groups for simplicity. Each role name in Volterra platform is prefixed with ves-io string and suffixed with role string. For example, the default role is identified by the ves-io-default-role name.

2. Custom Roles

You can create roles and customise them by assigning one or more API groups. These roles can be assigned to users and can also be updated or removed as per the need.

Note: A user is required to have atleast one of the ves-io-monitor-role, ves-io-power-developer-role, ves-io-admin-role roles for a namespace to appear in the namespace dropdown in the VoltConsole.


Prerequisites

You must have a valid Volterra Account. If you do not have an account, see Create a Volterra Account.


View RBAC Policy Rules and API Groups

You can view the predefined RBAC policy rules and the various API groups information from the VoltConsole.

Step 1: Log into the VoltConsole and view in-built policies.

Click on the General option in the namespace selector. Click RBAC Policies->Built-in Policy Rules under the IAM option. Click > for any policy from the displayed list to view the policy information in JSON format.

inbuilt rbac new
Figure: In-built RBAC Policy Rules

Note: The api_group_matcher field in the displayed information shows the API groups associated with the rule.

Step 2: View API groups.

Select API Groups from the options pane. Click > for any group from the displayed list to view the group information in JSON format.

apigroup json new
Figure: API Group Information

Note: The elements field in the displayed information shows the APIs associated with the group.

Step 3: View the APIs associated with an API group.

Click Elements field against any API displayed in the list to view the APIs in another window.

apigrp list
Figure: API Group List

apigroup elements
Figure: API Group Elements


Create a Role

Perform the following to create a role and assign API groups to it:

Step 1: Navigate to role configuration and open a role creation form.

Click on the General option in the namespace selector. Click Roles->Create Role under the IAM option.

nav roles new
Figure: Navigate to Roles

Step 2: Select API groups for the role.

Set a name for the role and click Allowed API Groups. Select the API groups as per your choice and click Save to add the API groups to the role. This example creates a custom role infrawatcher with the ves-io-infra-monitor-read and ves-io-infra-monitor-write groups.

api groups
Figure: API Group Selection

Note: Click on the value under the Elements field to view the list of APIs that are part of the associated group.

Step 3: Complete role creation.

Click Save to create the role.

role conf
Figure: Role Configuration and Creation


Concepts