-
Notifications
You must be signed in to change notification settings - Fork 0
Working with Rapyuta.io RBAC
In version v4.2.1 of the CLI, we added the support for Rapyuta.io RBAC. This wiki elaborates on the usage of the feature.
Rapyuta.io supports two RBAC roles namely, admin
and viewer
. Before the feature was rolled out, all users were granted the admin
role by default. Hence, if you view the roles of the existing users today, you may see that most of them are admins.
There are two ways a user can gain access to any project
- they are either directly added to the project
- they are part of a user group that has access to the project
With that, we can say that a user may be an admin
or viewer
in a project, or, a user group may be an admin
or viewer
in a project and by that relation, all members of that group either become admin
or viewer
in a project. Hence
- We can update the project resource to modify user or group roles associated with it
- We can update user group resources to update their role in a project
Both operations are supported via the rio apply
command and are entirely declarative in nature.
Currently, we have a limitation that only the organization owner and the project owner have the right to update a project. This may change in the future where we improve the overall RBAC in the product.
At the user group level, we have a couple of more roles, i.e. group_admin
and group_member
. If you are in the admins list, then you can modify the user group via the rio apply
command.
In order to use the rio apply
command, you will require manifests for projects or user groups. The rio explain project
or rio explain usergroup
command will print examples for you to refer. Else, you can also refer existing projects and groups.
The following commands will print usable manifests that you can update and apply.
rio project inspect {PROJECT_NAME}
rio usergroup inspect {USERGROUP_NAME}
rio_apply_project.mp4
The project owner and the organization owner will be added to any project implicitly and their roles cannot be modified.
rio_apply_usergroup.mp4
The group owner and the organization owner will be added to the group implicitly. Hence, despite not adding any admins in the manifest, we see that two users are listed under the admins section in the inspect command output.
- Users added to a project via the UI will get
viewer
role by default. - Projects added to user groups via the UI will be added with
viewer
role by default.