- Home
- Unravel 4.7.3.x Documentation
- Configurations
- Roles and Role-based Access Control (RBAC)
- Assign role permissions
Assign role permissions
The following permissions are used in RBAC: - View Filters (restricting UI) and Data Filters (restricting Data).
Views are Unravel UI pages. You can enable or disable the views based on your role as an admin. The users can only see the views enabled for their assigned roles. Each view has an ID which you must include in the configuration. Refer to the View ID list. If you do not configure the Views, then the following default Views are shown:
Clusters>Resources
Clusters>Chargeback
Compute
Jobs
From the installation directory, run the following command to set the views for the users in a role.
<Unravel installation directory>/unravel/manager config properties set com.unraveldata.rbac.role.
<role>
.views<view ID1>
,<view ID2>
,<view ID3>
For example:
<Unravel installation directory>/unravel/manager config properties set com.unraveldata.rbac.role.role1.views cost.trends,clusters.overview
In
<role>
, you must specify the role for which you want to set the views.In
<view ID>
, specify the view ID you want to set the role. Refer to the View ID list.Note
If you set a view ID of the main tab on Unravel UI, for example, the Clusters tab, then all the sub-tabs within the Cluster tab, such as Overview, Resources, Workload, are automatically included in the view that is set for the role.
If you provide the view ID of the main tab and the sub-tab, the view of the main tab is included.
If you provide only the view ID of the sub-tab, then only those sub-tabs are included in the view settings for the role.
Stop Unravel, apply the changes, and start Unravel.
<Unravel installation directory>/unravel/manager stop then config apply then start
Unravel UI tabs | View ID |
---|---|
App Store | appstore |
AutoActions | autoactions |
Cost | cost |
Clusters | clusters |
Clusters>Overview | clusters.overview |
Clusters>Resources | clusters.resources |
Clusters>Job Trends | clusters.jobstrends |
Clusters>Workload | clusters.workload |
Clusters>Chargeback | clusters.chargeback |
Clusters>ElasticSearch | clusters.elasticsearch |
Clusters>Logstash | clusters.logstash |
Clusters>Kibana | clusters.kibana |
Clusters>Kafka | clusters.kafka |
Clusters>HBase | clusters.hbase |
Clusters>Insights | clusters.clusterinsights |
Compute | compute |
Data | data |
Data>Overview | data.overview |
Data>Tables | data.tables |
Data>Forecasting | data.forecasting |
Data>Small Files | data.smallfiles |
Data>File Reports | data.filereports |
Jobs | jobs |
Jobs>Applications | jobs.applications |
Jobs>Pipelines | jobs.pipelines |
Jobs>Sessions | jobs.sessions |
Jobs>Schedule Jobs | jobs.schedulejobs |
Jobs>Jobs | jobs.jobs |
Jobs>Runs | jobs.runs |
Insights Overview | insightsoverview |
Manage | manage |
Manage>Daemons | manage.daemons |
Manage>Stats | manage.stats |
Manage>Run Diagnostics | manage.rundiagnostics |
Manage>Monitoring | manage.monitoring |
Manage>AWS Account Settings | manage.awsaccountsettings |
Manage>Audit | manage.audit |
Manage>Workspaces | manage.workspaces |
Manage>Unravel Billing | manage.unravelbilling |
Migration | migration |
Migration>Cluster Discovery | migration.clusterdiscovery |
Migration>Cloud Mapping Per Host | migration.cloudmappingperhost |
Migration>Workload Fit | migration.workloadfit |
Migration>Services And Versions Compatibility | migration.servicesandversionscompatibility |
Reports | reports |
Reports>Archived | reports.archived |
Reports>Scheduled | reports.scheduled |
Reports>TopX | reports.topx |
Data is the app content displayed on the Unravel UI pages. You can use data filters to configure permissions for a role to restrict access to data.
If you enable the App Data Fields data filter, then the data filtering is enabled for the specified ElasticSearch fields and values. Currently, only the following ElasticSearch fields are supported:
From the installation directory, run the following command:
<Unravel installation directory>/unravel/manager config properties set com.unraveldata.rbac.role.<
role>
.data.field.<field>
<field_value1>
,<field_value2>
In
<role>
, you must specify the role for which set the data filterIn
<field>
specify any of the supported ElasticSearch fields.In
<field_value1>
,<field_value2
>, etc., specify the ElasticSearch field values.For example:
/opt/unravel/manager config properties set com.unraveldata.rbac.role.role1.data.field.queue "queue1, queue2" /opt/unravel/manager config properties set com.unraveldata.rbac.role.role1.data.field.clusterUid "cluster1, cluster2"
You can also use substitute tokens when you set the App Data Fields data filter. For example:
opt/unravel/manager config properties set com.unraveldata.rbac.role.role1.data.field.queue "queue1, queue2, \$tags.rbac_queue" /opt/unravel/manager config properties set com.unraveldata.rbac.role.role1.data.field.userName \$user
Stop Unravel, apply the changes, and start Unravel.
<Unravel installation directory>/unravel/manager stop then config apply then start
Fields | Description |
---|---|
clusterId | Cluster name |
clusterUid | Cluster UID |
user | App user name |
userName | App real user name |
queue | App queue. In the case of Databricks, it is the workspace name. |
kind | App type |
If you enable the Username data filter, then the data filtering by username is enabled.
From the installation directory, run the following command:
<Unravel installation directory>/unravel/manager config properties set com.unraveldata.rbac.role.
<role>
.data.user.filter trueIn
<role>
, you must specify the role for which you set the data filter.Stop Unravel, apply the changes, and start Unravel.
<Unravel installation directory>/unravel/manager stop then config apply then start
If you enable the App Tags data filter, then the data filtering by app tags is enabled.
From the installation directory, run the following command:
<Unravel installation directory>/unravel/manager config properties set com.unraveldata.rbac.role.
<role>
.data.tags.filter trueIn
<role>
, you must specify the role for which set the data filterStop Unravel, apply the changes, and start Unravel.
<Unravel installation directory>/unravel/manager stop then config apply then start
If you enable the Elasticsearch Query data filter, then the data filtering is enabled for the specified ElasticSearch query. You can set this data filter using a property value that must be a valid Elasticsearch query.
From the installation directory, run the following command:
<Unravel installation directory>/unravel/manager config properties set com.unraveldata.rbac.role.<
role>
.data.es.query<STRING>
In
<role>
, you must specify the role for which you want to set the data filterIn
<STRING>
specify a valid ElasticSearch query.For example:
/opt/unravel/manager config properties set com.unraveldata.rbac.role.role1.data.es.query "{ terms: { kind: [\"spark\"] } }"
You can also use substitute tokens when you set the Query data filters.
Note
Use \ to escape special characters ! $ " ' ` \ .
Stop Unravel, apply the changes, and start Unravel.
<Unravel installation directory>/unravel/manager stop then config apply then start
Substitute tokens
Substitute tokens are unique keywords that can be used as a part of property values in App Data Fields and Elasticsearch Query data filters. These tokens get resolved to the username, groups, and tags of a logged-in user.
You can pass a specific field or a query string when you set the data filter for app data access. The following substitute tokens can be used when you set the data filters.
$user: The field/query gets resolved to the logged-in user’s username.
Example:
./manager config properties set com.unraveldata.rbac.role.dev.data.field.userName '$user'
$groups: The field/query gets resolved to the logged-in user’s groups.
Example:
./manager config properties set com.unraveldata.rbac.role.dev.data.field.queue '$groups'
$tags.<tag_key>: The field/query gets resolved to the logged-in user’s
<tag_key>
tag value. For information about tags, see User Tags.Example:
./manager config properties set com.unraveldata.rbac.role.dev.data.es.query '{ terms: { kind: “$tags.kind_tag” } }'