Use groups to configure role-based access controls within the ChaosSearch platform.
Role-based access control (RBAC) is a method for controlling user access to the services and information. In the RBAC implementation for ChaosSearch, there are two main features:
Permissions define a user’s access to the system. The permissions information includes the following content:
- Version: tracks the permission information version, which is 1.0 by default
- Effect: whether to allow or deny access to the specified actions and resources
- Actions: a list of one or more RBAC service actions that are being controlled (such as create, read, and so forth)
- Resources: a list of one or more ChaosSearch resources on which to apply the effect and action. Resources could include buckets, object groups, views, indexes, alerts, monitors, destinations, Kibana saved objects, and so on.
Groups and resources that contain one or more blocks of permissions; users are assigned to groups to inherit the permissions. Groups have a name, an ID, and one or more permission rule sets. ChaosSearch has a default group that can be preconfigured for common access levels, and administrators can create other custom groups for more refined access rights for users.
A block is a specific permission control, such as allowing read access to one or more specific views, or to all views that match a condition value.
RBAC Actions List
The following table lists and describes the set of available actions for the RBAC controls.
|s3:*||Ability to access cloud object storage if given permissions in the IAM Policy and API calls to the Chaos Index®|
|s3:aws:*||Ability to access cloud object storage if given permissions in the IAM Policy|
|s3:chaos:*||Ability to access the ChaosSearch Admin API|
|elastic:*||Ability to access the Elasticsearch API|
|elastic:opendistro:*||Ability to access the Elasticsearch API|
|chaos:*||Ability to access all replica, query, and theme settings|
|chaos:replica:*||Ability to access all replica information (that is, compute allocation), initiate burst operations, and see the compute status|
|chaos:replica:burst||Ability to use burst (displays the Burst button on the console)|
|chaos:replica:status||Ability to see how many compute resources are allocated|
|chaos:query:*||Full access to query permissions|
|chaos:query:status||Ability to access the Query progress bar|
|chaos:query:cancel||Ability to cancel a query (displays the Cancel button on the console)|
|chaos:theme:user||Ability to change the color scheme of the ChaosSearch UI|
|kibana:*||Full access to Kibana permissions|
|kibana-settings:read||Ability to access Visualizations and Dashboards on the Analytics page|
|kibana-settings:write||Ability to create Visualizations and Dashboards on the Analytics page|
|kibana-opendistro:*||Ability to create Alerts|
|"super:*"||Ability to use SQL Analytics and the embedded Superset features|
|ui:*||Full access to the ChaosSearch UI|
|ui:storage||Ability to access Storage in the console|
|ui:groups||Ability to access Groups in the console.|
|ui:refinery||Ability to access Views in the console|
|ui:analytics||Ability to access Search Analytics in the console|
|ui:sql||Ability to access SQL Analytics in the console|
|ui:dashboard||Ability to access System Dashboard in the console|
Create RBAC Groups
Administrators who have permission to manage groups can access the Groups page by clicking their user name in the top-right corner and selecting Accounts from the pop-up menu.
The Users list is the default; click Groups to display the groups list.
If your user account does not have an Accounts option on the pop-up menu, your account does not have permission to manage users and groups.
To add a group:
- Click Add Group in the top right corner of the Groups page. The Add Group window appears.
The Drop Permissions file here option is an alternative way to create a group by importing a text document that contains permission definitions. Typically those text files are created by ChaosSearch support teams who are assisting with RBAC implementations.
- Type a name for the group.
- Click Wizard. The group definition wizard opens. Each permission is defined as a block of effect-action-resource definitions.
- The Version field specifies the version level of the permissions. You can use the default value of 1.0.
- In the Effect field, select whether you want to Allow or Deny the actions and resources that you are specifying.
- Click the Action field, and in the pop-up list, select one or more of the RBAC actions as listed in the table earlier in this topic. Note that the default selection is * (all-access). Typically you would deselect * and select one or more RBAC actions for the group.
In the wizard, there are two ways to define resources: you can specify them in the Resource field, or use the Add condition option to create a resource condition block to match resources.
- The Resource field default value is * (all resources). To specify resources using this field, you typically deselect * and type the name of a specific resource, then press the Enter key to add each one. You can type and enter multiple resources.
- As an alternative, you can specify resources using a condition. Click Add conditions (optional). New condition fields appear:
- To add a condition:
- Click Conditions and select a match condition:
- In the Key field, type the identifier for the object that you want to use in the condition. For example, some common types of identifier keys include:
Object group: "chaos:object_group/attributes.name"
- In the Value field, type a value for the resource key that you specified. For example, you could specify the name of a bucket, object group, view, and so on. You could specify a prefix string value.
You can add more conditions by clicking Add condition.
- When you finish the block for the permission, click Add Block. The block is added to the right pane. From the Blocks list, you can view, edit, and delete blocks.
- When you finish adding conditions, click Finish. The Add Group window appears.
- Click Save to add the group. The group is added to the Groups page.
Assigning Users to Groups
After there are some groups defined for your users, you can assign users to groups.
When creating a user, the groups for your site are listed in the Add User > Groups list and you can select one or more groups for a new user.
For users that already exist, you can edit the user to assign one or more groups.
Updated about 1 month ago