|
| 1 | +# System Roles |
| 2 | + |
| 3 | +## Overview |
| 4 | + |
| 5 | +The Connectors Operator implements a plugin-based RBAC system that provides granular permission control for connector resources. System roles are distributed as ClusterRoles that automatically aggregate into the platform's default roles, enabling seamless integration with the existing permission model. |
| 6 | + |
| 7 | +## Architecture |
| 8 | + |
| 9 | +### Role Distribution |
| 10 | + |
| 11 | +All role permissions are defined as `ClusterRoles` within the operator and are: |
| 12 | +- Located in the `/config/roles` folder |
| 13 | +- Automatically included in the operator bundle via kustomization |
| 14 | +- Aggregated into system-wide roles using label-based selectors |
| 15 | + |
| 16 | +### Bundle Generation |
| 17 | + |
| 18 | +The roles are integrated into the final deployment manifests through: |
| 19 | +1. Kustomization configuration in `/config/manifests/kustomization.yaml` |
| 20 | +2. Reference to `../roles` resources |
| 21 | +3. Automatic generation in the final `bundle.yaml` during build |
| 22 | + |
| 23 | +## Available Roles |
| 24 | + |
| 25 | +The operator provides role definitions for the following resources across different scopes: |
| 26 | + |
| 27 | +### ConnectorClasses |
| 28 | +- **Scope**: Business Namespace |
| 29 | +- **Admin Role**: `cpaas:connectors-connectorclasses:business-ns:admin` |
| 30 | + - Full permissions on `connectorclasses` resources |
| 31 | + - Aggregates to: cluster-admin, platform-admin, business-ns scope |
| 32 | +- **View Role**: `cpaas:connectors-connectorclasses:business-ns:view` |
| 33 | + - Read-only permissions (get, list, watch) |
| 34 | + - Aggregates to: namespace-admin, namespace-developer, platform-auditor, project-admin, business-ns scope |
| 35 | + |
| 36 | +### Connectors (Cluster Scope) |
| 37 | +- **Scope**: Cluster-wide |
| 38 | +- **Admin Role**: `cpaas:connectors-cluster:cluster:admin` |
| 39 | + - Full permissions on cluster-scoped `connectors` resources |
| 40 | + - Aggregates to: cluster-admin, platform-admin |
| 41 | +- **View Role**: `cpaas:connectors-cluster:cluster:view` |
| 42 | + - Read-only permissions |
| 43 | + - Aggregates to: namespace-admin, namespace-developer, platform-auditor, project-admin |
| 44 | + |
| 45 | +### Connectors (Namespace Scope) |
| 46 | +- **Scope**: Business Namespace |
| 47 | +- **Admin Role**: `cpaas:connectors-namespaced:business-ns:admin` |
| 48 | + - Full permissions on namespaced `connectors` resources |
| 49 | + - Aggregates to: cluster-admin, namespace-admin, platform-admin, project-admin, business-ns scope |
| 50 | +- **View Role**: `cpaas:connectors-namespaced:business-ns:view` |
| 51 | + - Read-only permissions |
| 52 | + - Aggregates to: namespace-developer, platform-auditor, business-ns scope |
| 53 | + |
| 54 | +### Connectors (Project Scope) |
| 55 | +- **Scope**: Project Namespace |
| 56 | +- **Admin Role**: `cpaas:connectors-project:project-ns:admin` |
| 57 | + - Full permissions on project-scoped `connectors` resources |
| 58 | + - Aggregates to: cluster-admin, platform-admin, project-admin, project-ns scope |
| 59 | +- **View Role**: `cpaas:connectors-project:project-ns:view` |
| 60 | + - Read-only permissions |
| 61 | + - Aggregates to: namespace-admin, namespace-developer, platform-auditor, project-ns scope |
| 62 | + |
| 63 | +### ResourceInterfaces |
| 64 | +- **Scope**: Business Namespace |
| 65 | +- **Admin Role**: `cpaas:connectors-resourceinterfaces:business-ns:admin` |
| 66 | + - Full permissions on `resourceinterfaces` resources |
| 67 | + - Aggregates to: cluster-admin, platform-admin, business-ns scope |
| 68 | +- **View Role**: `cpaas:connectors-resourceinterfaces:business-ns:view` |
| 69 | + - Read-only permissions |
| 70 | + - Aggregates to: namespace-admin, namespace-developer, platform-auditor, project-admin, business-ns scope |
| 71 | + |
| 72 | +## Role Aggregation |
| 73 | + |
| 74 | +Roles use Kubernetes RBAC aggregation through labels: |
| 75 | +- `rbac.cpaas.io/aggregate-to-*`: Controls which platform roles inherit these permissions |
| 76 | +- `rbac.cpaas.io/aggregate-to-scope-*`: Defines the resource scope (cluster, business-ns, project-ns) |
| 77 | + |
| 78 | +This allows automatic permission inheritance without manual role binding updates. |
| 79 | + |
| 80 | +## Migration |
| 81 | + |
| 82 | +The roles in the `/config/roles` folder were migrated from the legacy permission system using: |
| 83 | + |
| 84 | +### Tools |
| 85 | +1. **permission-migrator**: [GitLab Repository](https://gitlab-ce.alauda.cn/devops/tech-research/permission-migrator) |
| 86 | +2. **Migration Guide**: [Documentation](https://gitlab-ce.alauda.cn/devops/tech-research/permission-migrator/-/blob/main/docs/MIGRATE.md#%E6%96%B0%E6%97%A7%E8%BD%AC%E6%8D%A2%E8%A7%84%E5%88%99) |
| 87 | + |
| 88 | +### Migration Process |
| 89 | +The migration ensured: |
| 90 | +- Backward compatibility with existing role assignments |
| 91 | +- Proper scope separation (cluster, namespace, project) |
| 92 | +- Correct aggregation labels for platform integration |
| 93 | +- Standardized naming conventions following the pattern: `cpaas:<resource>:<scope>:<permission-level>` |
| 94 | + |
| 95 | +## Usage |
| 96 | + |
| 97 | +When the operator is installed, these ClusterRoles are automatically created and begin aggregating into the appropriate system roles. Users assigned to platform roles (e.g., `platform-admin`, `namespace-developer`) will automatically receive the corresponding connector permissions. |
| 98 | + |
| 99 | +### Example |
| 100 | +A user with the `namespace-developer` role will automatically gain view permissions for: |
| 101 | +- ConnectorClasses |
| 102 | +- Connectors (in their namespace) |
| 103 | +- ResourceInterfaces |
| 104 | + |
| 105 | +No additional role bindings are required. |
| 106 | + |
0 commit comments