generated from nginx/template-repository
-
Notifications
You must be signed in to change notification settings - Fork 121
feature: Describe use of XC-based RBAC #248
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 5 commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
7ffc5c0
feature: Describe use of roles in N1C
mjang 416a516
Add default roles page
mjang cf75f0d
More
mjang ab25551
Merge branch 'main' into feature-rbac-n1c
mjang dd2b96b
Update content/nginx-one/rbac/rbac-api.md
mjang 40ed264
Apply suggestions from code review
mjang 2c3f87a
Merge branch 'main' into feature-rbac-n1c
ADubhlaoich File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| --- | ||
| docs: | ||
| files: | ||
| - content/nginx-one/rbac/overview.md | ||
| - content/nim/admin-guide/rbac/overview-rbac.md | ||
| --- | ||
| Role-based access control (RBAC) is a security system that governs access to resources within a software application. By assigning specific roles to users or groups, RBAC ensures that only authorized individuals have the ability to perform certain actions or access particular areas. | ||
|
|
||
| The value of RBAC lies in its ability to provide clear and structured control over what users can see and do. This makes it easier to maintain security, streamline user management, and ensure compliance with internal policies or regulations. By giving users only the permissions they need to fulfill their roles, RBAC reduces the risk of unauthorized access and fosters a more efficient and secure operating environment. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| --- | ||
| title: Role-based access control | ||
| description: | ||
| weight: 300 | ||
| url: /nginx-one/rbac | ||
| --- |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| --- | ||
| description: | ||
| docs: | ||
| doctypes: | ||
| - reference | ||
| tags: | ||
| - docs | ||
| title: "Overview: Role-based access control" | ||
| toc: true | ||
| weight: 400 | ||
mjang marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| --- | ||
|
|
||
| {{< include "security/rbac-intro.md" >}} | ||
|
|
||
| The NGINX One Console uses the **[F5 Distributed Cloud User Management](https://docs.cloud.f5.com/docs-v2/administration/how-tos/user-mgmt)** system for access controls and user permissions. | ||
| General information can be found on the User Management documentation for **[F5 Distributed Cloud](https://docs.cloud.f5.com/docs-v2/administration/how-tos/user-mgmt)**. This document provides guidance and reference material for utilizing those features to grant and restrict access within the NGINX One Console. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| --- | ||
| description: | ||
| docs: | ||
| doctypes: | ||
| - reference | ||
| tags: | ||
| - docs | ||
| title: "Overview: set up custom roles" | ||
| toc: true | ||
| weight: 500 | ||
mjang marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| --- | ||
|
|
||
| Beyond [Default roles]({{< relref "/nginx-one/rbac/roles.md" >}}), you may need to set up custom roles. For convenience, we include a list of API groups that you could use to specify permissions for custom roles. | ||
|
|
||
| These are not NGINX One APIs. | ||
|
|
||
| ## F5 API groups for NGINX One | ||
|
|
||
| The following table lists the **[F5 XC roles](https://docs.cloud.f5.com/docs-v2/administration/how-tos/user-mgmt/roles)** that you can use. These are narrowly scoped API Groups that align with all the features and functionality within the NGINX One Console. These groups can help you create custom roles tailored to your specific needs. | ||
|
|
||
| {{< note >}}If you create custom roles using the more granular API Groups, users may not have access until you add the corresponding API Groups to their roles.{{< /note >}} | ||
|
|
||
| | API Group Name | Level of Access | Description | | ||
| |-----------------------------------------|-----------------|-------------------------------------------------------------------------------------------------------------------------------| | ||
| | f5xc-nginx-one-application-monitor | Read | View all features and data. | | ||
| | f5xc-nginx-one-application-settings | Write | View and update settings. | | ||
| | f5xc-nginx-one-application-write | Write | View and edit all features except settings. | | ||
| | f5xc-nginx-one-custom-all-instances-metric-read | Read | View metrics for all Instances. Required to see the Overview dashboard. | | ||
| | f5xc-nginx-one-custom-instance-list | Read | View list of all Instances. Also view summarized information such as certificate status and CVEs. | | ||
| | f5xc-nginx-one-custom-all-instances-manage | Write | View and delete all Instances. | | ||
| | f5xc-nginx-one-custom-instance-manage | Write | View and edit Instance details. | | ||
| | f5xc-nginx-one-custom-instance-read | Read | View Instance and configuration details. | | ||
| | f5xc-nginx-one-custom-certificate-manage | Write | View TSL/SSL certificate details. Create, update, and delete any managed certificates. | | ||
| | f5xc-nginx-one-custom-certificate-read | Read | View TLS/SSL certificates. | | ||
| | f5xc-nginx-one-custom-all-certificates-manage | Write | View all TLS/SSL certificates. Delete managed certificates. | | ||
| | f5xc-nginx-one-custom-data-plane-key-manage | Write | View, create, update, and delete any Data Plane Keys. Note: The actual Data Plane Key is shown _only_ when created. | | ||
| | f5xc-nginx-one-custom-data-plane-key-read | Read | View Data Plane Key Details. Note: The actual Data Plane Key is shown _only_ when created. | | ||
| | f5xc-nginx-one-custom-all-data-plane-keys-manage | Write | View and delete Data Plane Keys. | | ||
| | f5xc-nginx-one-custom-cve-read | Read | View NGINX CVEs. | | ||
| | f5xc-nginx-one-custom-config-sync-group-manage | Write | View, create, update, and delete Config Sync Groups. | | ||
| | f5xc-nginx-one-custom-config-sync-group-read | Read | View Config Sync Groups with details. | | ||
| | f5xc-nginx-one-custom-all-config-sync-groups-manage | Write | View and delete Config Sync Groups. | | ||
| | f5xc-nginx-one-custom-settings-manage | Write | View and update NGINX One Console Settings. | | ||
| | f5xc-nginx-one-custom-settings-read | Read | View NGINX One Console Settings. | | ||
| | f5xc-nginx-one-custom-event-read | Read | View NGINX One Events. | | ||
| | f5xc-nginx-one-custom-ai-assistant | Write | Interact with the NGINX One AI Assistant. | | ||
| | f5xc-nginx-one-custom-staged-config-manage | Write | View, create, update, and delete Staged Configs. | | ||
| | f5xc-nginx-one-custom-staged-config-read | Read | View Staged Configs. | | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| --- | ||
| description: | ||
| docs: | ||
| doctypes: | ||
| - reference | ||
| tags: | ||
| - docs | ||
| title: "Reference: default roles" | ||
| toc: true | ||
| weight: 500 | ||
mjang marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| --- | ||
|
|
||
| ## Default Roles | ||
mjang marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| We provide three default **[roles](https://docs.cloud.f5.com/docs-v2/administration/how-tos/user-mgmt/roles)** that can be used for providing various access levels to the NGINX One Console. These roles will be automatically updated as new features are added to the NGINX One Console. Default roles can be scoped to specific namespaces. | ||
|
|
||
| ### Admin | ||
|
|
||
| The Admin role, identified as <code>f5xc-nginx-one-admin</code>, provides full read and write access to all endpoints and features within the NGINX One Console. | ||
|
|
||
| ### User | ||
|
|
||
| Our standard User role, listed as <code>f5xc-nginx-one-user</code> in the role list, provides read and write access to all endpoints and features, save for those considered to be administrator level. An example of an administrator level feature would be **[Instance Settings](https://docs.nginx.com/nginx-one/how-to/nginx-configs/clean-up-unavailable-instances/)** where unavailable instance clean up logic is set. | ||
|
|
||
| ### Monitor | ||
|
|
||
| Our read only or Monitor role, <code>f5xc-nginx-one-monitor</code>, grants read only access to all non-administrator features and endpoints within the NGINX One Console. | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.