Sample Roles and Permissions

Shipa offers a comprehensive Role-based access control system (RBAC) designed to provide users fine-grained access to resources in your Shipa installation.

Admin users have the ability to list all available permissions using the command below:

shipa permission list

Administrators use permissions from the list to define roles and assign users to those roles to create an RBAC system satisfying their internal requirements.

As a quick start, we have created sample roles with a base set of permissions to allow Developers and Operators to use Shipa.

📘

Role Names

The roles listed below are intended to be used as a base. These role names and their permissions can be changed at any time to better address your requirements.

These roles are created in addition to the ones that are automatically created when Shipa is installed.

🚧

Team and Users

Create a dev team and two users, [email protected] and [email protected] to follow the examples below.

Create the dev team:
$ shipa team create dev

Create the [email protected] and [email protected] users:
$ shipa user create [email protected]
$ shipa user create [email protected]

The goal of this example is to build a structure similar to the one below.

Ops Roles and Permissions

📘

User and Team Setup

The section below assumes that you:

  • Logged in as the Shipa instance admin user and created an Ops user
  • Logged in as the Shipa instance admin user and created a team named dev

Create the roles with permissions listed in the following table so that Ops users can:

  • Control and have administrator-level visibility of the teams they are assigned to
  • Create and manage frameworks for the team
  • Create and manage clusters for the team
shipa role list
+----------------------+------------------+----------------------+
| Role                 | Context          | Permissions          |
+----------------------+------------------+----------------------+
| OpsFWResources       | framework        | cluster              |
|                      |                  | node                 |
|                      |                  | framework            |
|                      |                  | volume               |
+----------------------+------------------+----------------------+
| OpsClusterResources  | cluster          | cluster              |
+----------------------+------------------+----------------------+
| OpsTeamResources     | team             | app                  |
|                      |                  | cluster              |
|                      |                  | plan                 |
|                      |                  | framework            |
|                      |                  | team                 |
|                      |                  | volume               |
|                      |                  | volume-plan          |
+----------------------+------------------+----------------------+

Create the roles listed above using the following commands:

shipa role add OpsFWResources framework
shipa role add OpsClusterResources cluster
shipa role add OpsTeamResources team

Assign permissions to the roles with the following commands:

OpsFWResources role

shipa role permission add OpsFWResources cluster node framework volume

OpsClusterResources role

shipa role permission add OpsClusterResources cluster

OpsTeamResources role

shipa role permission add OpsTeamResources app cluster plan framework team volume volume-plan

Assign the newly created roles to the ops user [email protected]:

shipa role assign OpsFWResources [email protected]
shipa role assign OpsClusterResources o[email protected]
shipa role assign OpsTeamResources [email protected] dev

Devs Roles and Permissions

📘

Ops and Framework Setup

The section below assumes that you:

  • Already created an Ops user with the roles and permissions from the previous section
  • Logged in as the Shipa instance admin user and created a team named dev
  • Logged in as the Ops user and created a framework named framework1

Create the roles and permissions in the table below so that development users can:

  • View the frameworks they can deploy their apps to
  • Create and manage applications
shipa role list
+----------------------+------------------+----------------------+
| Role                 | Context          | Permissions          |
+----------------------+------------------+----------------------+
| DevTeamResources     | team             | app                  |
|                      |                  | cluster.read         |
|                      |                  | framework.read       |
|                      |                  | framework.update     |
|                      |                  | plan.read            |
|                      |                  | volume.read          |
|                      |                  | volume-plan.read     |
|                      |                  | volume.update.bind   |
|                      |                  | volume.update.unbind |
+----------------------+------------------+----------------------+
| DevFWResources       | framework        | app                  |
|                      |                  | node.read            |
|                      |                  | cluster.read         |
+----------------------+------------------+----------------------+

Create the roles above using the following commands:

shipa role add DevTeamResources team
shipa role add DevFWResources framework

Assign permissions to roles listed above using the following commands:

DevTeamResources role

shipa role permission add DevTeamResources app cluster.read framework.read framework.update volume.read volume-plan.read volume.update.bind volume.update.unbind plan.read

DevFWResources role

shipa role permission add DevFWResources app node.read cluster.read

Assign the newly added roles and permissions to the dev user:

shipa role assign DevTeamResources [email protected] dev
shipa role assign DevFWResources [email protected] framework1

Common Shared Roles and Permissions

Both Ops and Devs use shared permissions from Shipa's RBAC to perform common tasks such as:

  • See available platforms for deploying apps
  • See roles assigned to their users

Create the following role with dev and ops as members:

shipa role list
+----------------------+------------------+----------------------+
| Role                 | Context          | Permissions          |
+----------------------+------------------+----------------------+
| GlobalResources      | global           | platform.image       |
|                      |                  | platform.read        |
|                      |                  | role.read            |
+----------------------+------------------+----------------------+

Create the role above with the following command:

📘

Context Level

Run the command below based on your Shipa instance type: Cloud or Self-Hosted

Global context-level is not available on Shipa Cloud and should be replaced by organization level.

shipa role add GlobalResources global
shipa role add GlobalResources organization

Assign permissions to the role using the following command:

shipa role permission add GlobalResources platform.read platform.image role.read

Once the role is created and permissions are added, assign the roles to both Dev and Ops users:

shipa role assign GlobalResources [email protected]
shipa role assign GlobalResources [email protected]

What’s Next

Deploy your applications using Shipa

Did this page help you?