红帽全球峰会1.6. About Lightspeed and Role Based Access Control (RBAC)
Role-Based Access Control (RBAC) is a system security approach to restricting system access to authorized users who have defined roles and permissions.
OpenShift Lightspeed RBAC is binary. By default, not all cluster users have access to the OpenShift Lightspeed interface. Access must be granted by a user who can grant permissions. All users of an OpenShift cluster with OpenShift Lightspeed installed can see the OpenShift Lightspeed button; however, only users with permissions can submit questions to OpenShift Lightspeed.
If you want to evaluate the RBAC features of OpenShift Lightspeed, your cluster will need users other than the kubeadmin account. The kubeadmin account always has access to OpenShift Lightspeed.
1.6.1. Granting access to an individual user
This procedure explains how to grant access to an individual user.
Prerequisites
-
You are logged in to the OpenShift Container Platform web console as a user with the
cluster-adminrole. Alternatively, you are logged in as a user with the ability to grant permissions. - You have deployed the OpenShift Lightspeed service.
-
You have access to the OpenShift CLI (
oc).
Procedure
Run the following command at the command line:
$ oc adm policy add-cluster-role-to-user \ lightspeed-operator-query-access <user_name>Alternatively, you can use a YAML file when granting access to an individual user by using the following command:
$ oc adm policy add-cluster-role-to-user lightspeed-operator-query-access <user_name> -o yaml --dry-runThe terminal returns the following output:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: null name: lightspeed-operator-query-access roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: lightspeed-operator-query-access subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: <user_name>1 - 1
- Enter the actual user name in place of
<user_name>before creating the object.
Save the output as a YAML file, and run the following command to grant user access:
$ oc create -f <filename>
1.6.2. Granting access to a user group
This procedure explains how to grant access to a user group. If your cluster has more advanced identity management configured, including user groups, you can grant all users of a specific group access to the OpenShift Lightspeed service.
Prerequisites
-
You are logged in to the OpenShift Container Platform web console as a user with the
cluster-adminrole. Alternatively, you are logged in as a user with the ability to grant permissions. - You have deployed the OpenShift Lightspeed service.
- You have access to the OpenShift CLI (oc).
Procedure
Run the following command at the command line:
$ oc adm policy add-cluster-role-to-group \ lightspeed-operator-query-access <group_name>Alternatively, you can use a YAML file when granting access to a user group by using the following command:
$ oc adm policy add-cluster-role-to-group lightspeed-operator-query-access <group_name> -o yaml --dry-runThe terminal returns the following output:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: null name: lightspeed-operator-query-access roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: lightspeed-operator-query-access subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: <user_group>1 - 1
- Enter the actual user group in place of
<user_group>before creating the object.
Save the output as a YAML file, and run the following command to grant access to the user group:
$ oc create -f <filename>
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}