Home

Role-Based Access Control (RBAC)

Unravel supports the following roles.

  • Admin – has complete access to UI with read/write permissions.

  • Read-only admin – has complete access to the UI but cannot write.

  • Cluster - Same as Read-only admin, but can access only those clusters to which the user is assigned.

  • User (Restricted) - Can only access the Jobs > Application tabs.

  • User (extended) - Can access Jobs > Application, Clusters > Resources, and Clusters > Chargeback

RBAC lets admins restrict the pages a specific end-user can view and how those pages are populated. Application tagging is intertwined with RBAC. While it is possible to use RBAC without defining application tags, its usefulness is limited. See What is tagging? if you are not familiar with the concept of tagging and how to generate tags for Unravel to use.

The end-user's access is restricted based upon three factors:

  1. Tags for the end-user

    You can create tags for

    End-users are then associated with the RBAC user tags via LDAP or SAML groups. Refer to Configuring tags for RBAC.

    When RBAC is turned on, an end-user's view is filtered based upon their tags. For instance, if a user only has the defined tag dept:marketing they can only see applications tagged with dept:marketing.

  2. Unravel default tag

    The default tag is used to filter the end-user's view. It is set to Username by default.

  3. Mode

    The following options are available for mode:

What the end-user sees when RBAC is turned on

The available pages are based on the user restriction mode, applications based on tags, which are filtered by users.

Note

If the default command is not set and an end-user has no tags, the viewable pages are populated (blank).

Configuring RBAC

Run the following steps to configure RBAC:

  1. Stop Unravel

    <Unravel installation directory>/unravel/manager stop
    
  2. From the installation directory, run the following commands to set the RBAC configurations.

    <Unravel installation directory>/unravel/manager config rbac enable
    <Unravel installation directory>/unravel/manager config rbac default <user|userName>
    <Unravel installation directory>/unravel/manager config rbac mode <extended|restricted>
    

    The following table provides the description for each command:

    Subcommand

    Description

    rbac enable

    Enable RBAC.

    rbac disable

    Disable RBAC.

    rbac default

    Determines how an end-user's views are filtered when no specific tags are set for them.

    • userName: filters view by the user's name.

    • user: filters view by the real user's name.

    rbac mode

    Determines the UI pages the end-user can access when RBAC is enabled. Values are extended and restricted. extended a user can access the following:

    restricted a user can only access Jobs > All Applications

    The admins can access all the tabs

    rbac add

    Configures user-defined tag key and regular expression to filter the end-users view. You can configure multiple tags using this option.

    rbac remove

    Removes tag that is added using the rbac add option.

    rbac show

    Shows the list of tags.

  3. Configure admin, read-only, cluster, and user roles to users or groups as applicable. Refer to Adding admins to Unravel, Adding read-only admins to Unravel, Adding cluster admins to Unravel.

  4. Apply the changes.

    <Unravel installation directory>/unravel/manager config apply
    
  5. Start Unravel.

    <Unravel installation directory>/unravel/manager start