RBAC Configuration

This guide walks through the set-up and configuration of Role-Based Access Control's within the ChaosSearch platform.

Overview

Role-Based Access control has two constructs:

  • Permissions: Permissions have the following components to describe a user’s access to the system:

    • Version: tracks the permission version.
    • Effect: will either “Allow” or “Deny” access.
    • Actions: The actual service actions that are allowed (Create, Read, etc.).
    • Resources: The resources within the service that the specified actions are applied to (Object Groups, Views, Discover, Alerting, etc.)
  • Groups: Groups are composed of an ID, a name, and a set of permissions. The Default group is preconfigured common access levels, in addition to fully customized groups created by the user.

RBAC Actions List

Action

Definition

All-access

s3:*

Ability to access S3 if given permissions in the IAM Policy and API calls to the Chaos Index

s3:aws:*

Ability to access S3 if given permissions in the IAM Policy

s3:chaos:*

Ability to access the ChaosSearch Admin API

elastic:*

Ability to access the Elasticsearch API

elastic:opendistro:*

Ability to access the Elasticsearch API

chaos:*

Ability to access all replica, query, and theme settings

chaos:replica:*

Ability to access all replica information (i.e. compute allocation), initiate burst and see the compute status

chaos:replica:burst

Ability to click burst

chaos:replica:status

Ability to see how many compute resources are allocated

chaos:query:*

Full access to query permissions

chaos:query:status

Ability to access the Query progress bar

chaos:query:migrate

chaos:query:cancel

Ability to Cancel a query

chaos:query:pause

chaos:theme:user

Ability to change the color scheme of the ChaosSearch UI

kibana:*

Full access to Kibana permissions

kibana-settings:read

Ability to access Visualizations and Dashboards

kibana-settings:write

Ability to create Visualizations and Dashboards

kibana-opendistro:*

Ability to create Alerts

ui:*

Full access to the ChaosSearch UI

ui:storage

Ability to access the Storage

ui:refinery

Ability to access the Refinery

ui:analytics

Ability to access the Analytics

ui:dashboard

Ability to access the Dashboard

Create RBAC Groups

When you navigate to the Accounts section of ChaosSearch, existing Users and Role-Based Access Control groups will be listed. To add a new Group select the Groups tab.

  1. Click the Add Role button in the top right corner
  1. Add the group name and click the *Wizard button
  1. The RBAC wizard will allow you to define:
    Effect
    Action
    Resource

  2. To assign the actions a User should have for this group, click the Action drop down

  1. After defining the Actions, remove the * in the Resource filed and input the Resource(s) that should be made available to the Users within this Group and hit enter

📘

Resource is the View name created in the Refinery

ex. crn:view:::viewName

  1. After the Effect, Action, and Resource sections are complete with the correct permissions, click Add Block and expand Block 1.
  2. To edit the block, click Edit
  3. To delete the block, click Delete
  1. To finalize the RBAC Group configuration, click Finish
  2. Click Save

You can now start adding users to this new RBAC group by selecting the Users group definition if the User already exists.

When creating a User, the group selection drop down will be available to put the user into 1 or more groups.

Clicking on the User will list the current Group assignment

Updated about a month ago

RBAC Configuration


This guide walks through the set-up and configuration of Role-Based Access Control's within the ChaosSearch platform.

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.