Sample Roles and Permissions
Shipa offers a comprehensive Role-based access control system (RBAC) designed to provide users fine-grained access to resources in your Shipa installation.
Admin users have the ability to list all available permissions using the command below:
shipa permission list
Administrators use permissions from the list to define roles and assign users to those roles to create an RBAC system satisfying their internal requirements.
As a quick start, we have created sample roles with a base set of permissions to allow Developers and Operators to use Shipa.
Role Names
The roles listed below are intended to be used as a base. These role names and their permissions can be changed at any time to better address your requirements.
These roles are created in addition to the ones that are automatically created when Shipa is installed.
Team and Users
Create a dev team and two users, [email protected] and [email protected] to follow the examples below.
Create the dev team:
$ shipa team create devCreate the [email protected] and [email protected] users:
$ shipa user create [email protected]
$ shipa user create [email protected]
The goal of this example is to build a structure similar to the one below.
Ops Roles and Permissions
User and Team Setup
The section below assumes that you:
- Logged in as the Shipa instance admin user and created an Ops user
- Logged in as the Shipa instance admin user and created a team named dev
Create the roles with permissions listed in the following table so that Ops users can:
- Control and have administrator-level visibility of the teams they are assigned to
- Create and manage frameworks for the team
- Create and manage clusters for the team
shipa role list
+----------------------+------------------+----------------------+
| Role | Context | Permissions |
+----------------------+------------------+----------------------+
| OpsFWResources | framework | cluster |
| | | node |
| | | framework |
| | | volume |
+----------------------+------------------+----------------------+
| OpsClusterResources | cluster | cluster |
+----------------------+------------------+----------------------+
| OpsTeamResources | team | app |
| | | cluster |
| | | plan |
| | | framework |
| | | team |
| | | volume |
| | | volume-plan |
+----------------------+------------------+----------------------+
Create the roles listed above using the following commands:
shipa role add OpsFWResources framework
shipa role add OpsClusterResources cluster
shipa role add OpsTeamResources team
Assign permissions to the roles with the following commands:
OpsFWResources role
shipa role permission add OpsFWResources cluster node framework volume
OpsClusterResources role
shipa role permission add OpsClusterResources cluster
OpsTeamResources role
shipa role permission add OpsTeamResources app cluster plan framework team volume volume-plan
Assign the newly created roles to the ops user [email protected]:
shipa role assign OpsFWResources [email protected]
shipa role assign OpsClusterResources o[email protected]
shipa role assign OpsTeamResources [email protected] dev
Devs Roles and Permissions
Ops and Framework Setup
The section below assumes that you:
- Already created an Ops user with the roles and permissions from the previous section
- Logged in as the Shipa instance admin user and created a team named dev
- Logged in as the Ops user and created a framework named framework1
Create the roles and permissions in the table below so that development users can:
- View the frameworks they can deploy their apps to
- Create and manage applications
shipa role list
+----------------------+------------------+----------------------+
| Role | Context | Permissions |
+----------------------+------------------+----------------------+
| DevTeamResources | team | app |
| | | cluster.read |
| | | framework.read |
| | | framework.update |
| | | plan.read |
| | | volume.read |
| | | volume-plan.read |
| | | volume.update.bind |
| | | volume.update.unbind |
+----------------------+------------------+----------------------+
| DevFWResources | framework | app |
| | | node.read |
| | | cluster.read |
+----------------------+------------------+----------------------+
Create the roles above using the following commands:
shipa role add DevTeamResources team
shipa role add DevFWResources framework
Assign permissions to roles listed above using the following commands:
DevTeamResources role
shipa role permission add DevTeamResources app cluster.read framework.read framework.update volume.read volume-plan.read volume.update.bind volume.update.unbind plan.read
DevFWResources role
shipa role permission add DevFWResources app node.read cluster.read
Assign the newly added roles and permissions to the dev user:
shipa role assign DevTeamResources [email protected] dev
shipa role assign DevFWResources [email protected] framework1
Common Shared Roles and Permissions
Both Ops and Devs use shared permissions from Shipa's RBAC to perform common tasks such as:
- See available platforms for deploying apps
- See roles assigned to their users
Create the following role with dev and ops as members:
shipa role list
+----------------------+------------------+----------------------+
| Role | Context | Permissions |
+----------------------+------------------+----------------------+
| GlobalResources | global | platform.image |
| | | platform.read |
| | | role.read |
+----------------------+------------------+----------------------+
Create the role above with the following command:
Context Level
Run the command below based on your Shipa instance type: Cloud or Self-Hosted
Global context-level is not available on Shipa Cloud and should be replaced by organization level.
shipa role add GlobalResources global
shipa role add GlobalResources organization
Assign permissions to the role using the following command:
shipa role permission add GlobalResources platform.read platform.image role.read
Once the role is created and permissions are added, assign the roles to both Dev and Ops users:
shipa role assign GlobalResources [email protected]
shipa role assign GlobalResources [email protected]
Updated 6 months ago