Skip to content

Working with Rapyuta.io RBAC

Pallab Pain edited this page Oct 19, 2023 · 18 revisions

📃 Overview

In version v4.2.1 of the CLI, we added the support for Rapyuta.io RBAC. This wiki elaborates on the usage of the feature.

Rapyuta.io supports two RBAC roles namely, admin and viewer. Before the feature was rolled out, all users were granted the admin role by default. Hence, if you view the roles of the existing users today, you may see that most of them are admins.

There are two ways a user can gain access to any project

  • they are either directly added to the project
  • they are part of a user group that has access to the project

With that, we can say that a user may be an admin or viewer in a project, or, a user group may be an admin or viewer in a project and by that relation, all members of that group either become admin or viewer in a project. Hence

  • We can update the project resource to modify user or group roles associated with it
  • We can update user group resources to update their role in a project

Both operations are supported via the rio apply command and are entirely declarative in nature.

Who can update the projects?

Currently, we have a limitation that only the organization owner and the project owner have the right to update a project. This may change in the future where we improve the overall RBAC in the product.

Who can update the user group?

At the user group level, we have a couple of more roles, i.e. group_admin and group_member. If you are in the admins list, then you can modify the user group via the rio apply command.

👨‍💻 Working with the apply command

In order to use the rio apply command, you will require manifests for projects or user groups. The rio explain project or rio explain usergroup command will print examples for you to refer. Else, you can also refer existing projects and groups.

The following commands will print usable manifests that you can update and apply.

rio project inspect {PROJECT_NAME}

rio usergroup inspect {USERGROUP_NAME}

Creating and updating project with roles

rio_apply_project.mp4

The project owner and the organization owner will be added to any project implicitly and their roles cannot be modified.

Creating and updating usergroup with roles

rio_apply_usergroup.mp4

The group owner and the organization owner will be added to the group implicitly. Hence, despite not adding any admins in the manifest, we see that two users are listed under the admins section in the inspect command output.


⚠️ Please Note

  • Users added to a project via the UI will get viewer role by default.
  • Projects added to user groups via the UI will be added with viewer role by default.