Role-Based Access Control (RBAC)
Unravel supports the following roles.
Admin – has complete access to UI with read/write permissions.
Read-only admin – has complete access to the UI but cannot write.
Cluster - Same as Read-only admin, but can access only those clusters to which the user is assigned.
User (Restricted) - Can only access the Jobs > Application tabs.
User (extended) - Can access Jobs > Application, Clusters > Resources, and Clusters > Chargeback
RBAC lets admins restrict the pages a specific end-user can view and how those pages are populated. Application tagging is intertwined with RBAC. While it is possible to use RBAC without defining application tags, its usefulness is limited. See What is tagging? if you are not familiar with the concept of tagging and how to generate tags for Unravel to use.
The end-user's access is restricted based upon three factors:
Tags for the end-user
You can create tags for
Applications - See Tagging applications.
Workflows - See Tagging workflows.
End-users are then associated with the RBAC user tags via LDAP or SAML groups. Refer to Configuring tags for RBAC.
When RBAC is turned on, an end-user's view is filtered based upon their tags. For instance, if a user only has the defined tag dept:marketing they can only see applications tagged with dept:marketing.
Unravel default tag
The default tag is used to filter the end-user's view. It is set to
Username
by default.Mode
The following options are available for mode:
extended
a user can access the following:restricted
a user can only access Jobs > All Applications
What the end-user sees when RBAC is turned on
The available pages based on the user restriction mode, applications based on tags, which are filtered by users.
Note
If the default command is not set and an end-user has no tags, the viewable pages are populated (blank).
Configuring RBAC
Run the following steps to configure RBAC:
Stop Unravel
<Unravel installation directory>/unravel/manager stop
From the installation directory, run the following commands to set the RBAC configurations.
<Unravel installation directory>/unravel/manager config rbac enable <Unravel installation directory>/unravel/manager config rbac default
<user|userName>
<Unravel installation directory>/unravel/manager config rbac mode<extended|restricted>
<Unravel installation directory>/unravel/manager config rbac add<rbac_key> <rbac_regex>
The following table provides the description for each command:
Subcommand
Description
rbac enable
Enable RBAC.
rbac disable
Disable RBAC.
rbac default
Determines how an end-user's views are filtered when no specific tags are set for them.
userName: filters view by the user's name.
user: filters view by the real user's name.
rbac mode
Determines the UI pages the end-user can access when RBAC is enabled. Values are extended and restricted.
extended
a user can access the following:restricted
a user can only access Jobs > All ApplicationsThe admins can access all the tabs
rbac add
Configures user-defined tag key and regular expression to filter the end-users view. You can configure multiple tags using this option.
rbac remove
Removes tag that is added using the rbac add option.
rbac show
Shows the list of tags.
Configure admin, read-only, cluster, and user roles to users or groups as applicable. Refer to Adding admins to Unravel, Adding read-only admins to Unravel, Adding cluster admins to Unravel.
Apply the changes.
<Unravel installation directory>/unravel/manager config apply
Start Unravel.
<Unravel installation directory>/unravel/manager start