Role-Based Access Control (RBAC)
Role-Based Access Control (RBAC) is a security method that restricts resources access to authorized users based on their assigned roles. In Uyuni, RBAC ensures that users can only perform actions and access resources for which they have explicit authorization, enhancing security and simplifying administration.
The core principles of RBAC include:
-
Principle of Least Privilege: Granting only the necessary access rights for users to perform their tasks.
-
Granular Control: Providing fine-grained control over specific functionalities.
-
Separation of Duties: Preventing a single user from having too much control over critical processes.
-
Auditability: Allowing for clear tracking of user actions and permissions.
1. Key RBAC Concepts
Understanding the following core concepts is crucial for effective RBAC management:
-
Role: A collection of permissions defining a specific set of capabilities within Uyuni. Roles are assigned to users, granting the user aggregated permissions.
-
Permission: An atomic authorization to perform a specific action, access a specific web page or call a specific API endpoint within Uyuni. In Uyuni, permissions are represented by namespaces and their access modes.
-
User: An individual account that interacts with Uyuni. Users are assigned one or more roles.
-
Namespace: A granular unit of access control organized in a tree-like structure. Most namespaces have distinct "View" or "Modify" modes.
2. User Roles in Uyuni
Uyuni provides predefined roles and allows for the definition of additional custom roles, optionally inheriting from a combination of other roles.
2.1. Predefined Roles
Refer to administration:users.adoc#administrator-roles for a complete list of predefined roles and their descriptions.
2.2. Defining Additional Roles
To define additional roles, you can:
-
Select a number of existing roles to inherit permissions from.
-
Specify additional namespaces to grant access to.
3. Namespaces for Fine-Grained Access
Namespaces provide fine-grained access control, organized in a tree-like structure. For most namespaces, access within a namespace is further granularized by "View" and "Modify" modes.
Namespace | Access Mode | Description |
---|---|---|
|
Modify |
Build container or Kiwi images |
|
Modify |
Import container images from a registered image store |
|
View |
List all images |
|
Modify |
Delete images |
|
View |
View image details, patches, packages, build log and cluster information |
|
Modify |
Inspect, rebuild, delete images |
|
View |
View details of an image profile |
|
Modify |
Create image profiles, edit profile details |
|
View |
List all image profiles |
|
Modify |
Delete image profiles |
|
View |
View details of an image store |
|
Modify |
Create image stores, edit store details |
|
View |
List all image stores |
|
Modify |
Delete image stores |
A comprehensive list of namespaces and their descriptions can be retrieved by making a call to the access.listNamespaces
API method.
Refer to Uyuni API documentation for detailed information, including request and response formats.
4. Managing RBAC
Managing RBAC roles and permissions is currently only possible through the API. To assign roles to users via the web UI, refer to Users.
4.1. Managing RBAC via API
The Uyuni API provides methods for programmaticaly managing roles, permissions and user assignments.
4.1.1. The access
API
These API methods manage roles and their associated access:
-
listNamespaces
: Lists available namespaces, access modes and their descriptions in Uyuni. -
listPermissions
: Lists permitted namespaces of a role. -
listRoles
: Lists existing roles in Uyuni. -
createRole
: Creates a new role, optionally copying permissions from existing roles. -
deleteRole
: Deletes a role. -
grantAccess
: Grants access to namespaces. -
revokeAccess
: Revokes access to namespaces.
4.1.2. The user
API
These API methods manage user-role assignments:
-
listPermissions
: Lists effective permissions of a user. -
listRoles
: Lists a user’s assigned roles. -
addRole
: Assigns a role to a user. -
removeRole
: Removes a role from a user.
For detailed API documentation, including request and response formats, refer to Uyuni API reference.
5. RBAC Best Practices
Adhering to these best practices will help maintain a secure, efficient, and manageable RBAC environment:
-
Principle of least privilege: Always grant users the minimum permissions necessary to perform their duties. Avoid overly broad permissions.
-
Regular review: Periodically review assigned roles and permissions for users to ensure they are still appropriate and comply with current security policies.
-
Document roles: Clearly document the purpose and permissions of each custom role you create.
-
Separate duties: Implement roles that enforce separation of duties to prevent a single user from having too much control over critical processes.