RBAC Configuration

Use groups to configure role-based access controls within the ChaosSearch platform.

Overview

Role-based access control (RBAC) is a method for controlling user access to the services and information. In the RBAC implementation for ChaosSearch, there are two main features:

  • Permissions define a user’s access to the system. The permissions information includes the following content:

    • Version: tracks the permission information version, which is 1.0 by default
    • Effect: whether to allow or deny access to the specified actions and resources
    • Actions: a list of one or more RBAC service actions that are being controlled (such as create, read, and so forth)
    • Resources: a list of one or more ChaosSearch resources on which to apply the effect and action. Resources could include buckets, object groups, views, indexes, alerts, monitors, destinations, Kibana saved objects, and so on.
  • Groups and resources that contain one or more blocks of permissions; users are assigned to groups to inherit the permissions. Groups have a name, an ID, and one or more permission rule sets. ChaosSearch has a default group that can be preconfigured for common access levels, and administrators can create other custom groups for more refined access rights for users.

A block is a specific permission control, such as allowing read access to one or more specific views, or to all views that match a condition value.

RBAC Actions List

The following table lists and describes the set of available actions for the RBAC controls.

ActionDefinition
*All-access
s3:*Ability to access cloud object storage if given permissions in the IAM Policy and API calls to the Chaos Index®
s3:aws:*Ability to access cloud object storage if given permissions in the IAM Policy
s3:chaos:*Ability to access the ChaosSearch Admin API
elastic:*Ability to access the Elasticsearch API
elastic:opendistro:*Ability to access the Elasticsearch API
chaos:*Ability to access all replica, query, and theme settings
chaos:replica:*Ability to access all replica information (that is, compute allocation), initiate burst operations, and see the compute status
chaos:replica:burstAbility to use burst (displays the Burst button on the console)
chaos:replica:statusAbility to see how many compute resources are allocated
chaos:query:*Full access to query permissions
chaos:query:statusAbility to access the Query progress bar
chaos:query:cancelAbility to cancel a query (displays the Cancel button on the console)
chaos:theme:userAbility to change the color scheme of the ChaosSearch UI
kibana:*Full access to Kibana permissions
kibana-settings:readAbility to access Visualizations and Dashboards on the Analytics page
kibana-settings:writeAbility to create Visualizations and Dashboards on the Analytics page
kibana-opendistro:*Ability to create Alerts
"super:*"Ability to use SQL Analytics and the embedded Superset features
ui:*Full access to the ChaosSearch UI
ui:storageAbility to access Storage in the console
ui:groupsAbility to access Groups in the console.
ui:refineryAbility to access Views in the console
ui:analyticsAbility to access Search Analytics in the console
ui:sqlAbility to access SQL Analytics in the console
ui:dashboardAbility to access System Dashboard in the console

Create RBAC Groups

Administrators who have permission to manage groups can access the Groups page by clicking their user name in the top-right corner and selecting Accounts from the pop-up menu.

The Users list is the default; click Groups to display the groups list.

1904

🚧

NOTE:

If your user account does not have an Accounts option on the pop-up menu, your account does not have permission to manage users and groups.

To add a group:

  1. Click Add Group in the top right corner of the Groups page. The Add Group window appears.
2000

📘

Group Import

The Drop Permissions file here option is an alternative way to create a group by importing a text document that contains permission definitions. Typically those text files are created by ChaosSearch support teams who are assisting with RBAC implementations.

  1. Type a name for the group.
  2. Click Wizard. The group definition wizard opens. Each permission is defined as a block of effect-action-resource definitions.
1654
  1. The Version field specifies the version level of the permissions. You can use the default value of 1.0.
  2. In the Effect field, select whether you want to Allow or Deny the actions and resources that you are specifying.
  3. Click the Action field, and in the pop-up list, select one or more of the RBAC actions as listed in the table earlier in this topic. Note that the default selection is * (all-access). Typically you would deselect * and select one or more RBAC actions for the group.
2000

📘

Defining Resources

In the wizard, there are two ways to define resources: you can specify them in the Resource field, or use the Add condition option to create a resource condition block to match resources.

  1. The Resource field default value is * (all resources). To specify resources using this field, you typically deselect * and type the name of a specific resource, then press the Enter key to add each one. You can type and enter multiple resources.
2000
  1. As an alternative, you can specify resources using a condition. Click Add conditions (optional). New condition fields appear:
2000
  1. To add a condition:
  • Click Conditions and select a match condition:
1678
  • In the Key field, type the identifier for the object that you want to use in the condition. For example, some common types of identifier keys include:

Bucket: "s3:bucket/attributes.name"
Object group: "chaos:object_group/attributes.name"
View: "chaos:view/attributes.name"

  • In the Value field, type a value for the resource key that you specified. For example, you could specify the name of a bucket, object group, view, and so on. You could specify a prefix string value.

You can add more conditions by clicking Add condition.

2028
  1. When you finish the block for the permission, click Add Block. The block is added to the right pane. From the Blocks list, you can view, edit, and delete blocks.
2000
  1. When you finish adding conditions, click Finish. The Add Group window appears.
  2. Click Save to add the group. The group is added to the Groups page.

Assigning Users to Groups

After there are some groups defined for your users, you can assign users to groups.

  • When creating a user, the groups for your site are listed in the Add User > Groups list and you can select one or more groups for a new user.

  • For users that already exist, you can edit the user to assign one or more groups.