Role Based Access Control
The Role Based Access Control (RBAC) feature allows you to control various operations that can be performed by an administrator. This is essential when multiple administrators are managing the virtual infrastructure. ConVirt RBAC mechanism is designed with having flexibility as well as ease of use.
Out of the box, ConVirt RBAC has the following participants.
- Entity : An entity. For e.g. Data Center, Server, Server Pool and Virtual Machine etc.
- Users/Administrators : Each administrator has its own login and password and can belong to one or more user group.
- User Group : A group of users. Each group has an associated role.
- Role : A role is a collection of entities and corresponding privileges on that entity.
- Privileges : Privileges are convenient packaging of individual operations that can be performed on an entity. ConVirt comes with the following pre-packaged privileges.
- None : No operations allowed on the entity.
- View : The entity can be viewed.
- Operator : All operations on an entity are allowed except for being able to create new ones or delete existing ones.
- Full : All operations including ability to create new entities and remove them.
Privilege propagation
ConVirt allows you to specify privileges for the following entity types
- Data Center/Site
- Server Pool level
- Template Store
- Template Group
Once the privileges are assigned at these container entities, the contained and the related entities get the same privilege. For example if you have FULL privilege on the Server Pool, you would have FULL privilege on the Servers within that server pool as well as Virtual Machines within those Servers.
When a new entity gets added, all roles get updated to give it the same privilege as it has on the container.
Role Example
Advanced Options
If you find the default behavior limiting for some reason, there are few advanced options that you can use. These can be changed by changing the src/convirt/web/convirt/development.ini
- GRANULAR_USER_MODEL : This option allows setting permissions at individual Servers and Virtual Machine level. When in this mode, the privileges from container to the contained entities will NOT propagate automatically. When a new entity is added, all users having current role would have appropriate privileges on the newly created entity.
- ADVANCED_PRIVILEGES : This option allows you to create/edit/delete new privileges, define which operation groups and operations are part of it.
- Using CLI to do customization
There is a good CLI support for this subsystem, you may want to explore it. It is easier to setup custom RBAC scheme, via CLI as it as facilities to perform "create like" on operations groups, privilege etc.
Users :
list_users Listing Users
user_info User Information
add_user Adds a User
delete_user - Deletes a Usergroup
change_password Change Password
User Groups :
list_groups List of Groups
group_info Group Information
add_group Adds a Usergroup
delete_group Deletes a Group
add_group_user Adds a User to Group
remove_group_user Delete a User from Group
assign_role Assign a Role to Group
Roles:
list_roles The list of Roles
add_role Adds a Role
delete_role Deletes a Role
assign_entity_privilege Assign a Privilege for the Role on the Entity
remove_entity_privilege Remove a Privilege for the Role on the Entity
create_like_role Creates a Similar Role
Privileges :
list_privileges List of Privileges
add_privilege Add Privilege
delete_privilege Deleting a Privilege
Operation Groups:
list_opgroups List of Operations Groups
add_opgroup Add an Operations Group
delete_opgroup Deletes an Operation Group
create_like_opgroup Creates a similar Operations_Group
assign_opgroup_privilege Assign a Privilege to the Operations Group
remove_opgroup_privilege Removes the privilege of Operations Group
Operations:
list_operations List of Operations
add_operation - Add an Operation to Operations Group
remove_operation Delete an Operation from Operations Group
Comments