RBAC Configuration

Use groups to configure role-based access controls within the ChaosSearch platform.

Overview

Role-based access control (RBAC) is a method for controlling user access to the services and information. In the RBAC implementation for ChaosSearch, there are two main features:

  • Permissions define a user’s access to the system. The permissions information includes the following content:

    • Version: tracks the permission information version, which is 1.0 by default
    • Effect: whether to allow or deny access to the specified actions and resources
    • Actions: a list of one or more RBAC service actions that are being controlled (such as create, read, and so forth)
    • Resources: a list of one or more ChaosSearch resources on which to apply the effect and action. Resources could include buckets, object groups, views, indexes, alerts, monitors, destinations, Kibana saved objects, and so on.
  • Groups and resources that contain one or more blocks of permissions; users are assigned to groups to inherit the permissions. Groups have a name, an ID, and one or more permission rule sets. ChaosSearch has a default group that can be preconfigured for common access levels, and administrators can create other custom groups for more refined access rights for users.

A block is a specific permission control, such as allowing read access to one or more specific views, or to all views that match a condition value.

RBAC Actions List

The following table lists and describes the set of available actions for the RBAC controls.

Action

Definition

All-access

s3:*

Ability to access cloud object storage if given permissions in the IAM Policy and API calls to the Chaos Index®

s3:aws:*

Ability to access cloud object storage if given permissions in the IAM Policy

s3:chaos:*

Ability to access the ChaosSearch Admin API

elastic:*

Ability to access the Elasticsearch API

elastic:opendistro:*

Ability to access the Elasticsearch API

chaos:*

Ability to access all replica, query, and theme settings

chaos:replica:*

Ability to access all replica information (that is, compute allocation), initiate burst operations, and see the compute status

chaos:replica:burst

Ability to use burst (displays the Burst button on the console)

chaos:replica:status

Ability to see how many compute resources are allocated

chaos:query:*

Full access to query permissions

chaos:query:status

Ability to access the Query progress bar

chaos:query:cancel

Ability to cancel a query (displays the Cancel button on the console)

chaos:theme:user

Ability to change the color scheme of the ChaosSearch UI

kibana:*

Full access to Kibana permissions

kibana-settings:read

Ability to access Visualizations and Dashboards on the Analytics page

kibana-settings:write

Ability to create Visualizations and Dashboards on the Analytics page

kibana-opendistro:*

Ability to create Alerts

ui:*

Full access to the ChaosSearch UI

ui:storage

Ability to access Storage in the console

ui:refinery

Ability to access Refinery in the console

ui:analytics

Ability to access Analytics in the console

ui:dashboard

Ability to access System Dashboard in the console

Create RBAC Groups

Administrators who have permission to manage groups can access the Groups page by clicking their user name in the top-right corner and selecting Accounts from the pop-up menu.

The Users list is the default; click Groups to display the groups list.

19041904

🚧

NOTE:

If your user account does not have an Accounts option on the pop-up menu, your account does not have permission to manage users and groups.

To add a group:

  1. Click Add Group in the top right corner of the Groups page. The Add Group window appears.
872872

📘

Group Import

The Drop Permissions file here option is an alternative way to create a group by importing a text document that contains permission definitions. Typically those text files are created by ChaosSearch support teams who are assisting with RBAC implementations.

  1. Type a name for the group.
  2. Click Wizard. The group definition wizard opens. Each permission is defined as a block of effect-action-resource definitions.
21762176
  1. The Version field specifies the version level of the permissions. You can use the default value of 1.0.
  2. In the Effect field, select whether you want to Allow or Deny the actions and resources that you are specifying.
  3. Click the Action field, and in the pop-up list, select one or more of the RBAC actions as listed in the table above. Note that the default selection is * (all-access). Typically you would deselect * and select one or more RBAC actions for the group.
11301130

📘

Defining Resources

In the wizard, there are two ways to define resources: you can specify them in the Resource field, or use the Add condition option to create a resource condition block to match resources.

  1. The Resource field default value is * (all resources). To specify resources using this field, you typically deselect * and type the name of a specific resource, then press the Enter key to add each one. You can type and enter multiple resources.
10401040
  1. As an alternative, you can specify resources using a condition. Click Add conditions (optional). New condition fields appear:
10081008
  1. To add a condition:
  • Click Conditions and select a match condition:
630630
  • In the Key field, type the identifier for the object that you want to use in the condition. For example, some common types of identifier keys include:

Bucket: "s3:bucket/attributes.name"
Object group: "chaos:object_group/attributes.name"
View: "chaos:view/attributes.name"

  • In the Value field, type a value for the resource key that you specified. For example, you could specify the name of a bucket, object group, view, and so on. You could specify a prefix string value.

You can add more conditions by clicking Add condition.

11041104
  1. When you finish the block for the permission, click Add Block. The block is added to the right pane.
19841984

From the Blocks list, you can view, edit, and delete blocks.

19721972
  1. When you finish adding conditions, click Finish. The Add Group window appears.
  2. Click Save to add the group. The group is added to the Groups page.

Assigning Users to Groups

After there are some groups defined for your users, you can assign users to groups.

  • When creating a user, the groups for your site are listed in the Add User > Groups list and you can select one or more groups for a new user.

  • For users that already exist, you can edit the user to assign one or more groups.


Did this page help you?