Users - roles
Roles are defining access to resources and commands for users. They are using JCC ACL format for defining it.
JCC ACL (JCC Access Control List)
Format of ACL (empty one):
name: ROLE_NAME
data:
acl:
allow:
cloud: [] # List of regular expressions with clouds to allow access
zone: [] # List of regular expressions with zones to allow access
node: [] # List of regular expressions with nodes to allow access
externalNode: [] # List of regular expressions with external nodes to allow access
microservice: [] # List of regular expressions with microservices to allow access
technicalMicroservice: [] # List of regular expressions with technical microservices to allow access
application: [] # List of regular expressions with applications to allow access
repository: [] # List of regular expressions with repositories to allow access
user: [] # List of regular expressions with users to allow access
role: [] # List of regular expressions with roles to allow access
deny:
cloud: [] # List of regular expressions with clouds to deny access
zone: [] # List of regular expressions with zones to deny access
node: [] # List of regular expressions with nodes to deny access
externalNode: [] # List of regular expressions with external nodes to deny access
microservice: [] # List of regular expressions with microservices to deny access
technicalMicroservice: [] # List of regular expressions with technical microservices to deny access
application: [] # List of regular expressions with applications to deny access
repository: [] # List of regular expressions with repositories to deny access
user: [] # List of regular expressions with users to deny access
role: [] # List of regular expressions with roles to deny access
commands:
acl:
allow:
- commands: [] # List of commands with allow access
objects: {
cloud: .*, # Regular expression of clouds with allow access
zone: .*, # Regular expression of zones with allow access
node: .*, # Regular expression of nodes with allow access
externalNode: .*, # Regular expression of external nodes with allow access
microservice: .*, # Regular expression of microservices with allow access
technicalMicroservice: .*, # Regular expression of technical microservices with allow access
application: .*, # Regular expression of applications with allow access
repository: .*, # Regular expression of repositories with allow access
user: .* # Regular expression of users with allow access
role: .*, # Regular expression of roles with allow access
}
deny:
- commands: [] # List of commands with deny access
objects: {
cloud: .*, # Regular expression of clouds with deny access
zone: .*, # Regular expression of zones with deny access
node: .*, # Regular expression of nodes with deny access
externalNode: .*, # Regular expression of external nodes with deny access
microservice: .*, # Regular expression of microservices with deny access
technicalMicroservice: .*, # Regular expression of technical microservices with deny access
application: .*, # Regular expression of applications with deny access
repository: .*, # Regular expression of repositories with deny access
user: .* # Regular expression of users with deny access
role: .*, # Regular expression of roles with deny access
}
Access algorithm
Below is described algorithm which defines if users does or doesn't have access to execute command:
- Start of processing command.
- Check if requested resource name is matched against any regular expression defined on list in
data:acl:allowsection. If not deny access. - Check if requested resource name is matched against any regular expression defined on list in
data:acl:denysection. If so deny access. - For each element in
commands:acl:allow: check if command is defined incommandsand if requested resource name is matched against it's regular expression defined inobjectsunder it's key. If not deny access. - For each element in
commands:acl:deny: check if command is defined incommandsand if requested resource name is matched against it's regular expression defined inobjectsunder it's key. If so deny access. - If reached here allow access.
Default roles
By default four roles are defined. Their definition is shown below with short description.
USER_ADMIN
This is a role for default user_admin user which is responsible for managing users: adding, deleting, resetting password, etc.
Role definition:
data:
acl:
allow:
cloud: [
]
technicalMicroservice: [
]
node: [
]
role: [
.*]
application: [
]
zone: [
]
microservice: [
]
externalNode: [
]
repository: [
]
user: [
.*]
deny:
cloud: [
.*]
technicalMicroservice: [
.*]
node: [
.*]
role: [
]
application: [
.*]
zone: [
.*]
microservice: [
.*]
externalNode: [
.*]
repository: [
.*]
user: [
]
name: USER_ADMIN
commands:
acl:
allow:
- commands: [
display,
echo,
exit,
grep,
header,
help,
interactive,
login,
passwd,
quit,
sleep,
verbose,
version,
env set,
env show,
script record show,
script record start,
script record stop,
script run,
user,
user create,
user delete,
user list,
user passwd,
user role delete,
user role details,
user role dump,
user role list,
user role load]
objects: {
cloud: .*,
technicalMicroservice: .*,
node: .*,
role: .*,
application: .*,
zone: .*,
microservice: .*,
externalNode: .*,
repository: .*,
user: .*
}
deny:
- commands: [
]
objects: {
cloud: .*,
technicalMicroservice: .*,
node: .*,
role: .*,
application: .*,
zone: .*,
microservice: .*,
externalNode: .*,
repository: .*,
user: .*
}
MASTER_ADMIN
Master admin has full access to all commands (except the one with users). He can create zones, connect node, destroy applications, etc.
Role definition:
data:
acl:
allow:
cloud: [
.*]
technicalMicroservice: [
.*]
node: [
.*]
role: [
]
application: [
.*]
zone: [
.*]
microservice: [
.*]
externalNode: [
.*]
repository: [
.*]
user: [
]
deny:
cloud: [
]
technicalMicroservice: [
]
node: [
]
role: [
.*]
application: [
]
zone: [
]
microservice: [
]
externalNode: [
]
repository: [
]
user: [
.*]
name: MASTER_ADMIN
commands:
acl:
allow:
- commands: [
cd,
display,
echo,
exit,
goto,
grep,
header,
help,
interactive,
list,
login,
ls,
passwd,
quit,
set,
show,
sleep,
verbose,
version,
application,
application add,
application create,
application destroy,
application details,
application list,
application remove,
application restart,
application set priority,
application start,
application status,
application stop,
application terminate,
env set,
env show,
events details,
events list,
external node,
external node add,
external node destroy,
external node list,
external repo add,
external repo auth,
external repo default,
external repo destroy,
external repo list,
external repo passwd,
lock release,
microservice,
microservice activate,
microservice deactivate,
microservice deploy,
microservice destroy,
microservice details,
microservice disable,
microservice double restart,
microservice enable,
microservice list,
microservice repo,
microservice restart,
microservice runtime,
microservice start,
microservice status,
microservice stop,
microservice tech,
microservice terminate,
microservice undeploy,
microservice upload,
node,
node activate,
node connect,
node deactivate,
node disconnect,
node list,
node peer add,
node peer remove,
node peers,
node repo,
node runtime,
node servers list,
node shutdown,
node status,
node terminate,
node version,
script record show,
script record start,
script record stop,
script run,
zone,
zone connect,
zone create,
zone destroy,
zone disconnect,
zone list]
objects: {
cloud: .*,
technicalMicroservice: .*,
node: .*,
role: .*,
application: .*,
zone: .*,
microservice: .*,
externalNode: .*,
repository: .*,
user: .*
}
deny:
- commands: [
]
objects: {
cloud: .*,
technicalMicroservice: .*,
node: .*,
role: .*,
application: .*,
zone: .*,
microservice: .*,
externalNode: .*,
repository: .*,
user: .*
}
OPERATOR
Operator can restarts microservices, check node's status, etc. He is capable of executing standard operational tasks, but he can't for ex. destroy microservice.
Role definition:
data:
acl:
allow:
cloud: [
.*]
technicalMicroservice: [
.*]
node: [
.*]
role: [
]
application: [
.*]
zone: [
.*]
microservice: [
.*]
externalNode: [
.*]
repository: [
.*]
user: [
]
deny:
cloud: [
]
technicalMicroservice: [
]
node: [
]
role: [
.*]
application: [
]
zone: [
]
microservice: [
]
externalNode: [
]
repository: [
]
user: [
.*]
name: OPERATOR
commands:
acl:
allow:
- commands: [
cd,
display,
echo,
exit,
goto,
grep,
header,
help,
interactive,
list,
login,
ls,
passwd,
quit,
show,
sleep,
verbose,
version,
application,
application destroy,
application details,
application list,
application restart,
application start,
application status,
application stop,
application terminate,
env set,
env show,
events details,
events list,
external node,
external node list,
external repo default,
external repo list,
lock release,
microservice,
microservice details,
microservice double restart,
microservice list,
microservice repo,
microservice restart,
microservice runtime,
microservice start,
microservice status,
microservice stop,
microservice tech,
microservice terminate,
node,
node list,
node peers,
node repo,
node runtime,
node servers list,
node shutdown,
node status,
node terminate,
node version,
script record show,
script record start,
script record stop,
script run,
zone,
zone list]
objects: {
cloud: .*,
technicalMicroservice: .*,
node: .*,
role: .*,
application: .*,
zone: .*,
microservice: .*,
externalNode: .*,
repository: .*,
user: .*
}
deny:
- commands: [
]
objects: {
cloud: .*,
technicalMicroservice: .*,
node: .*,
role: .*,
application: .*,
zone: .*,
microservice: .*,
externalNode: .*,
repository: .*,
user: .*
}
VIEWER
Viewer can only watch environment to know which microservices are running and where. It's perfect for users you don't want to mess up anything.
Role definition:
data:
acl:
allow:
cloud: [
.*]
technicalMicroservice: [
.*]
node: [
.*]
role: [
]
application: [
.*]
zone: [
.*]
microservice: [
.*]
externalNode: [
.*]
repository: [
.*]
user: [
]
deny:
cloud: [
]
technicalMicroservice: [
]
node: [
]
role: [
.*]
application: [
]
zone: [
]
microservice: [
]
externalNode: [
]
repository: [
]
user: [
.*]
name: VIEWER
commands:
acl:
allow:
- commands: [
cd,
display,
echo,
exit,
goto,
grep,
header,
help,
interactive,
list,
login,
ls,
quit,
show,
sleep,
verbose,
version,
application,
application list,
application status,
env set,
env show,
events details,
events list,
external node,
external node list,
external repo default,
external repo list,
microservice,
microservice details,
microservice list,
microservice repo,
microservice runtime,
microservice status,
node,
node list,
node peers,
node repo,
node runtime,
node servers list,
node status,
node version,
script record show,
script record start,
script record stop,
script run,
zone,
zone list]
objects: {
cloud: .*,
technicalMicroservice: .*,
node: .*,
role: .*,
application: .*,
zone: .*,
microservice: .*,
externalNode: .*,
repository: .*,
user: .*
}
deny:
- commands: [
]
objects: {
cloud: .*,
technicalMicroservice: .*,
node: .*,
role: .*,
application: .*,
zone: .*,
microservice: .*,
externalNode: .*,
repository: .*,
user: .*
}
JMX_EXTRACTOR
It is special role defined with required commands for JMX Extractor microsrvice.
Role definition:
data:
acl:
allow:
cloud: [
.*]
technicalMicroservice: [
.*]
node: [
.*]
role: [
]
application: [
.*]
zone: [
.*]
microservice: [
.*]
externalNode: [
.*]
repository: [
.*]
user: [
]
deny:
cloud: [
]
technicalMicroservice: [
]
node: [
]
role: [
.*]
application: [
]
zone: [
]
microservice: [
]
externalNode: [
]
repository: [
]
user: [
.*]
name: JMX_EXTRACTOR
commands:
acl:
allow:
- commands: [
display,
exit,
grep,
quit,
node list]
objects: {
cloud: .*,
technicalMicroservice: .*,
node: .*,
role: .*,
application: .*,
zone: .*,
microservice: .*,
externalNode: .*,
repository: .*,
user: .*
}
deny:
- commands: [
]
objects: {
cloud: .*,
technicalMicroservice: .*,
node: .*,
role: .*,
application: .*,
zone: .*,
microservice: .*,
externalNode: .*,
repository: .*,
user: .*
}