Configuring Role-Based Access Control (RBAC)
With Role-Based Access Control (RBAC), Unravel provides advanced access control for admins to restrict the views of Unravel UI and the access to app data based on the assigned roles. By default, this feature is not enabled. You must enable the RBAC feature.
Unravel supports the following roles for RBAC.
admin – has complete access to UI and data.
read-only admin – has complete access to the UI except for the Manage page and data.
user – have access to views and data that are assigned by an admin.
Custom roles – roles that you can configure in Unravel.
For each of the roles, you can configure the following settings. Refer to Configure RBAC role settings.
Username/ Groups
Assign role-based on users or user groups.
Views
Control the views that a user who is assigned to a role can see.
Data filters
Controls the app data that a user who is assigned to a role can access.
Enable RBAC
Stop Unravel.
<Unravel installation directory>/unravel/manager stop
From the installation directory, run the following command to enable RBAC.
<Unravel installation directory>/unravel/manager properties set com.unraveldata.rbac.enabled true
Apply the changes.
<Unravel installation directory>/unravel/manager config apply
Start Unravel.
<Unravel installation directory>/unravel/manager start
When you enable RBAC, all the roles (admin, read-only admin, user, and custom roles, which are configured, are available. You can configure custom roles in Unravel.
Note
user is the default role when the RBAC feature is enabled in Unravel.
readonlyAdmin is the default role when the RBAC feature is not enabled.
The admin and the readonlyAdmin roles are available even when the RBAC feature is not enabled in Unravel.
Add roles for RBAC
Stop Unravel.
<Unravel installation directory>/unravel/manager stop
From the installation directory, run the following command to add roles:
<Unravel installation directory>/unravel/manager properties set com.unraveldata.rbac.roles
<role1>,<role3>,<role2>The order in which the roles are given in the property value becomes the role priority. Since admin, readonlyAdmin, user are reserved roles the priority order is usually; ‘admin’, ‘readonlyAdmin’, <custom roles>, user.
In the above example, the priority order is as follows:
1st – admin
2nd – readonlyAdmin
3rd – role1, role3, role2’
4th – user
Apply the changes.
<Unravel installation directory>/unravel/manager config apply
Start Unravel.
<Unravel installation directory>/unravel/manager start
Configure RBAC role settings
You can configure the following settings for the roles:
You can set Users and groups for a role. Do the following:
Stop Unravel.
<Unravel installation directory>/unravel/manager stop
From the installation directory, run the following command to set users/groups for a role.
Users
<Unravel installation directory>/unravel/manager config properties set com.unraveldata.rbac.role.
<role>.users<user1>,<user2>Groups
<Unravel installation directory>/unravel/manager config properties set com.unraveldata.rbac.role.
<role>.groups<group1>,<group2>
In
<role>, you must specify the role for which you want to add the users/groups.In
<user>/<group>, specify the usernames or group names you want to add to the role.Apply the changes.
<Unravel installation directory>/unravel/manager config apply
Start Unravel.
<Unravel installation directory>/unravel/manager start
As an admin, you can set views for the users. The users can only see the views set for an assigned role. Each view has an ID which you must include in the configuration. Refer to the View ID list. If you do not configure the Views, then the following default Views are shown:
Clusters>Resources
Clusters>Chargeback
Compute
Jobs
Stop Unravel.
<Unravel installation directory>/unravel/manager stop
From the installation directory, run the following command to set the views for the users in a role.
<Unravel installation directory>/unravel/manager config properties set com.unraveldata.rbac.role.
<role>.views<view ID1>,<view ID2>,<view ID3>For example:
<Unravel installation directory>/unravel/manager config properties set com.unraveldata.rbac.role.role1.views cost.trends, clusters.overview
In
<role>, you must specify the role for which you want to set the views.In
<view ID>, specify the view ID that you want to set the role. Refer to the View ID list.Note
If you set a view ID of the main tab on Unravel UI, for example, the Clusters tab, then all the sub-tabs within the Cluster tab, such as Overview, Resources, Workload, are automatically included in the view that is set for the role.
If you provide the view ID of the main tab and the sub-tab, then the view of the main tab is included.
If you provide only the view ID of the sub-tab, then only those sub-tabs are included in the view that is set for the role.
Apply the changes.
<Unravel installation directory>/unravel/manager config apply
Start Unravel.
<Unravel installation directory>/unravel/manager start
Unravel UI tabs | View ID |
|---|---|
App Store | appstore |
AutoActions | autoactions |
Cost | cost |
Clusters | clusters |
Clusters>Overview | clusters.overview |
Clusters>Resources | clusters.resources |
Clusters>Job Trends | clusters.jobstrends |
Clusters>Workload | clusters.workload |
Clusters>Chargeback | clusters.chargeback |
Clusters>ElasticSearch | clusters.elasticsearch |
Clusters>Logstash | clusters.logstash |
Clusters>Kibana | clusters.kibana |
Clusters>Kafka | clusters.kafka |
Clusters>HBase | clusters.hbase |
Clusters>Insights | clusters.clusterinsights |
Compute | compute |
Data | data |
Data>Overview | data.overview |
Data>Tables | data.tables |
Data>Forecasting | data.forecasting |
Data>Small Files | data.smallfiles |
Data>File Reports | data.filereports |
Jobs | jobs |
Jobs>Applications | jobs.applications |
Jobs>Pipelines | jobs.pipelines |
Jobs>Sessions | jobs.sessions |
Jobs>Schedule Jobs | jobs.schedulejobs |
Jobs>Jobs | jobs.jobs |
Jobs>Runs | jobs.runs |
Insights Overview | insightsoverview |
Manage | manage |
Manage>Daemons | manage.daemons |
Manage>Stats | manage.stats |
Manage>Run Diagnostics | manage.rundiagnostics |
Manage>Monitoring | manage.monitoring |
Manage>AWS Account Settings | manage.awsaccountsettings |
Manage>Audit | manage.audit |
Manage>Workspaces | manage.workspaces |
Manage>Unravel Billing | manage.unravelbilling |
Migration | migration |
Migration>Cluster Discovery | migration.clusterdiscovery |
Migration>Cloud Mapping Per Host | migration.cloudmappingperhost |
Migration>Workload Fit | migration.workloadfit |
Migration>Services And Versions Compatibility | migration.servicesandversionscompatibility |
Reports | reports |
Reports>Archived | reports.archived |
Reports>Scheduled | reports.scheduled |
Reports>TopX | reports.topx |
You can use Data filters to set the access to app data for users in an assigned role. The following data filters are used for this purpose:
If you enable the User data filter, then the data filtering by username is enabled. Do the following to enable the User data filter.
Stop Unravel.
<Unravel installation directory>/unravel/manager stop
From the installation directory, run the following command:
<Unravel installation directory>/unravel/manager config properties set com.unraveldata.rbac.role.
<role>.data.user.filter trueIn
<role>, you must specify the role for which you set the data filter.Apply the changes.
<Unravel installation directory>/unravel/manager config apply
Start Unravel.
<Unravel installation directory>/unravel/manager start
If you enable the Tags data filter, then the data filtering by app tags is enabled. Do the following to enable the Tags data filter.
Stop Unravel.
<Unravel installation directory>/unravel/manager stop
From the installation directory, run the following command:
<Unravel installation directory>/unravel/manager config properties set com.unraveldata.rbac.role.
<role>.data.tags.filter trueIn
<role>, you must specify the role for which set the data filterApply the changes.
<Unravel installation directory>/unravel/manager config apply
Start Unravel.
<Unravel installation directory>/unravel/manager start
If you enable the Fields data filter, then the data filtering is enabled for the specified ElasticSearch fields and values. Currently, only the following ElasticSearch fields are supported:
Fields | Description |
|---|---|
clusterId | Cluster name |
clusterUid | Cluster UID |
user | App user name |
userName | App real user name |
queue | App queue. In the case of Databricks, it is the workspace name. |
kind | App type |
Do the following to enable the Fields data filter.
Stop Unravel.
<Unravel installation directory>/unravel/manager stop
From the installation directory, run the following command:
<Unravel installation directory>/unravel/manager config properties set com.unraveldata.rbac.role.<
role>.data.field.<field><field_value1>,<field_value2>In
<role>, you must specify the role for which set the data filterIn
<field>specify any of the supported ElasticSearch fields.In
<field_value1>,<field_value2>, etc. specify the ElasticSearch field values.For example:
/opt/unravel/manager config properties set com.unraveldata.rbac.role.role1.data.field.queue "queue1, queue2" /opt/unravel/manager config properties set com.unraveldata.rbac.role.role1.data.field.clusterUid "cluster1, cluster2"
You can also use substitute fields when you set the Fields data filter. For example:
opt/unravel/manager config properties set com.unraveldata.rbac.role.role1.data.field.queue "queue1, queue2, \$tags.rbac_queue" /opt/unravel/manager config properties set com.unraveldata.rbac.role.role1.data.field.userName \$user
Apply the changes.
<Unravel installation directory>/unravel/manager config apply
Start Unravel.
<Unravel installation directory>/unravel/manager start
If you enable the Query data filter, then the data filtering is enabled for the specified ElasticSearch query. You can set this data filter using a property value that must be a valid Elasticsearch query. Do the following to enable the Query data filter.
Stop Unravel.
<Unravel installation directory>/unravel/manager stop
From the installation directory, run the following command:
<Unravel installation directory>/unravel/manager config properties set com.unraveldata.rbac.role.<
role>.data.es.query<STRING>In
<role>, you must specify the role for which you want to set the data filterIn
<STRING>specify a valid ElasticSearch query string.For example:
/opt/unravel/manager config properties set com.unraveldata.rbac.role.role1.data.es.query "{ terms: { kind: [\"spark\"] } }"You can also use substitute fields when you set the Query data filters.
Note
Use \ to escape special characters ! $ " ' ` \ .
Apply the changes.
<Unravel installation directory>/unravel/manager config apply
Start Unravel.
<Unravel installation directory>/unravel/manager start
Substitute fields, which are keywords, can be used in Fields and Query configurations. These get resolved to some user-related information. Thus, you can pass a specific field or a query string when you set the data filter for app data access. The following substitute fields can be used when you set the data filters.
$user: The field/query gets resolved to the user’s username. For example:
/opt/unravel/manager config properties set com.unraveldata.rbac.role.role1.data.field.userName "\$user"
$groups: The field/query gets resolved to user’s groups. For example:
/opt/unravel/manager config properties set com.unraveldata.rbac.role.role1.data.field.queue "\$groups"
$tags.<tag_key>: The field/query will get resolved to user’s <tag_key> tag value. For example:
/opt/unravel/manager config properties set com.unraveldata.rbac.role.role1.data.field.userName "\$tags.rbac_queue"
Configure RBAC roles
Before configuring each role, ensure to add those roles to RBAC. Refer to Add roles for RBAC. You can configure admin, readonlyAdmin, user, and custom roles for RBAC in Unravel.