Role Based Access Control
The Role Based Access Control (RBAC) feature allows you to control various operations that can be performed by an administrator. This is essential when multiple administrators are managing the virtual infrastructure. ConVirt RBAC mechanism is designed with having flexibility as well as ease of use.
Out of the box, ConVirt RBAC has the following participants.
- Entity : An entity. For e.g. Data Center, Server, Server Pool and Virtual Machine etc.
- Users/Administrators : Each administrator has its own login and password and can belong to one or more user group.
- User Group : A group of users. Each group has an associated role.
- Role : A role is a collection of entities and corresponding privileges on that entity.
- Privileges : Privileges are convenient packaging of individual operations that can be performed on an entity. ConVirt comes with the following pre-packaged privileges.
- None : No operations allowed on the entity.
- View : The entity can be viewed.
- Operator : All operations on an entity are allowed except for being able to create new ones or delete existing ones.
- Full : All operations including ability to create new entities and remove them.
Privilege propagation
ConVirt allows you to specify privileges for the following entity types
- Data Center/Site
- Server Pool level
- Template Store
- Template Group
Once the privileges are assigned at these container entities, the contained and the related entities get the same privilege. For example if you have FULL privilege on the Server Pool, you would have FULL privilege on the Servers within that server pool as well as Virtual Machines within those Servers.
When a new entity gets added, all roles get updated to give it the same privilege as it has on the container.
Role Example
Advanced Options
If you find the default behavior limiting for some reason, there are few advanced options that you can use. These can be changed by changing the src/convirt/web/convirt/development.ini
- GRANULAR_USER_MODEL : This option allows setting permissions at individual Servers and Virtual Machine level. When in this mode, the privileges from container to the contained entities will NOT propagate automatically. When a new entity is added, all users having current role would have appropriate privileges on the newly created entity.
- ADVANCED_PRIVILEGES : This option allows you to create/edit/delete new privileges, define which operation groups and operations are part of it.
- Using CLI to do customization
There is a good CLI support for this subsystem, you may want to explore it. It is easier to setup custom RBAC scheme, via CLI as it as facilities to perform "create like" on operations groups, privilege etc.
Users : list_users Listing Users user_info User Information add_user Adds a User delete_user - Deletes a Usergroup change_password Change Password
User Groups : list_groups List of Groups group_info Group Information add_group Adds a Usergroup delete_group Deletes a Group add_group_user Adds a User to Group remove_group_user Delete a User from Group assign_role Assign a Role to Group
Roles: list_roles The list of Roles add_role Adds a Role delete_role Deletes a Role assign_entity_privilege Assign a Privilege for the Role on the Entity remove_entity_privilege Remove a Privilege for the Role on the Entity create_like_role Creates a Similar Role
Privileges : list_privileges List of Privileges add_privilege Add Privilege delete_privilege Deleting a Privilege
Operation Groups: list_opgroups List of Operations Groups add_opgroup Add an Operations Group delete_opgroup Deletes an Operation Group create_like_opgroup Creates a similar Operations_Group assign_opgroup_privilege Assign a Privilege to the Operations Group remove_opgroup_privilege Removes the privilege of Operations Group Operations: list_operations List of Operations add_operation - Add an Operation to Operations Group remove_operation Delete an Operation from Operations Group
Comments