Role-based access control (RBAC) is a method for controlling user access to the services and information. In the RBAC implementation for ChaosSearch, there are two main features:
Permissions define a user’s access to the system. The permissions information includes the following content:
- Version: tracks the permission information version, which is 1.0 by default
- Effect: whether to allow or deny access to the specified actions and resources
- Actions: a list of one or more RBAC service actions that are being controlled (such as create, read, and so forth)
- Resources: a list of one or more ChaosSearch resources on which to apply the effect and action. Resources could include buckets, object groups, views, indexes, alerts, monitors, destinations, Kibana saved objects, and so on.
Groups and resources that contain one or more blocks of permissions; users are assigned to groups to inherit the permissions. Groups have a name, an ID, and one or more permission rule sets. ChaosSearch has a default group that can be preconfigured for common access levels, and administrators can create other custom groups for more refined access rights for users.
A block is a specific permission control, such as allowing read access to one or more specific views, or to all views that match a condition value.
The following table lists and describes the set of available actions for the RBAC controls.
Ability to access cloud object storage if given permissions in the IAM Policy and API calls to the Chaos Index®
Ability to access cloud object storage if given permissions in the IAM Policy
Ability to access the ChaosSearch Admin API
Ability to access the Elasticsearch API
Ability to access the Elasticsearch API
Ability to access all replica, query, and theme settings
Ability to access all replica information (that is, compute allocation), initiate burst operations, and see the compute status
Ability to use burst (displays the Burst button on the console)
Ability to see how many compute resources are allocated
Full access to query permissions
Ability to access the Query progress bar
Ability to cancel a query (displays the Cancel button on the console)
Ability to change the color scheme of the ChaosSearch UI
Full access to Kibana permissions
Ability to access Visualizations and Dashboards on the Analytics page
Ability to create Visualizations and Dashboards on the Analytics page
Ability to create Alerts
Full access to the ChaosSearch UI
Ability to access Storage in the console
Ability to access Refinery in the console
Ability to access Analytics in the console
Ability to access System Dashboard in the console
Administrators who have permission to manage groups can access the Groups page by clicking their user name in the top-right corner and selecting Accounts from the pop-up menu.
The Users list is the default; click Groups to display the groups list.
If your user account does not have an Accounts option on the pop-up menu, your account does not have permission to manage users and groups.
To add a group:
- Click Add Group in the top right corner of the Groups page. The Add Group window appears.
The Drop Permissions file here option is an alternative way to create a group by importing a text document that contains permission definitions. Typically those text files are created by ChaosSearch support teams who are assisting with RBAC implementations.
- Type a name for the group.
- Click Wizard. The group definition wizard opens. Each permission is defined as a block of effect-action-resource definitions.
- The Version field specifies the version level of the permissions. You can use the default value of 1.0.
- In the Effect field, select whether you want to Allow or Deny the actions and resources that you are specifying.
- Click the Action field, and in the pop-up list, select one or more of the RBAC actions as listed in the table above. Note that the default selection is * (all-access). Typically you would deselect * and select one or more RBAC actions for the group.
In the wizard, there are two ways to define resources: you can specify them in the Resource field, or use the Add condition option to create a resource condition block to match resources.
- The Resource field default value is * (all resources). To specify resources using this field, you typically deselect * and type the name of a specific resource, then press the Enter key to add each one. You can type and enter multiple resources.
- As an alternative, you can specify resources using a condition. Click Add conditions (optional). New condition fields appear:
- To add a condition:
- Click Conditions and select a match condition:
- In the Key field, type the identifier for the object that you want to use in the condition. For example, some common types of identifier keys include:
Object group: "chaos:object_group/attributes.name"
- In the Value field, type a value for the resource key that you specified. For example, you could specify the name of a bucket, object group, view, and so on. You could specify a prefix string value.
You can add more conditions by clicking Add condition.
- When you finish the block for the permission, click Add Block. The block is added to the right pane.
From the Blocks list, you can view, edit, and delete blocks.
- When you finish adding conditions, click Finish. The Add Group window appears.
- Click Save to add the group. The group is added to the Groups page.
After there are some groups defined for your users, you can assign users to groups.
When creating a user, the groups for your site are listed in the Add User > Groups list and you can select one or more groups for a new user.
For users that already exist, you can edit the user to assign one or more groups.
Updated 5 months ago