diff --git a/assemblies/assembly-install-rhdh-orchestrator-operator.adoc b/assemblies/assembly-install-rhdh-orchestrator-operator.adoc index b2ec9997ef..cc0d4e00fd 100644 --- a/assemblies/assembly-install-rhdh-orchestrator-operator.adoc +++ b/assemblies/assembly-install-rhdh-orchestrator-operator.adoc @@ -15,4 +15,8 @@ include::modules/orchestrator/proc-enable-orchestrator-plugin.adoc[leveloffset=+ include::modules/orchestrator/proc-upgrading-the-orchestrator-plugin.adoc[leveloffset=+1] -include::modules/orchestrator/proc-upgrading-the-openshift-serverless-logic-operator.adoc[leveloffset=+1] \ No newline at end of file +include::modules/orchestrator/proc-upgrading-the-openshift-serverless-logic-operator.adoc[leveloffset=+1] + +include::modules/orchestrator/ref-orchestrator-plugin-permissions.adoc[leveloffset=+1] + +include::modules/orchestrator/proc-managing-orchestrator-plugin-permissions-using-rbac-policies.adoc[leveloffset=+1] \ No newline at end of file diff --git a/modules/orchestrator/proc-managing-orchestrator-plugin-permissions-using-rbac-policies.adoc b/modules/orchestrator/proc-managing-orchestrator-plugin-permissions-using-rbac-policies.adoc new file mode 100644 index 0000000000..758bccb55b --- /dev/null +++ b/modules/orchestrator/proc-managing-orchestrator-plugin-permissions-using-rbac-policies.adoc @@ -0,0 +1,77 @@ +:_mod-docs-content-type: PROCEDURE + +[id="proc-managing-orchestrator-plugin-permissions-using-rbac-policies_{context}"] += Managing Orchestrator plugin permissions using RBAC policies + +You can configure Role-Based Access Control (RBAC) policies so that users can view workflow details without the permission to run those workflows. This configuration restricts user interaction to authorized workflows. + +.Prerequisites +. You have identified the [`workflowId`] for each workflow you want to restrict. +. You have enabled the RBAC plugin. +. You have configured the `policies-csv-file` path in your `{my-app-config-file}`. + +.Procedure +. Identify the `workflowId` from your workflow definition file: ++ +[source,yaml] +---- +id: greeting +version: '1.0' +---- +. In your RBAC policy CSV file, define the permissions using the `p, role, permission, action, allow` format. ++ +[NOTE] +==== +Generic permissions (for example, `orchestrator.workflow`) take precedence over specific permissions targeting a `workflowId`, (for example, `orchestrator.workflow.greeting`). You cannot grant generic access and then selectively deny a specific ID. +==== + +. Add the following example policies to your CSV file to establish basic user and administrator roles: ++ +[source,csv] +---- +# Minimal user role - can only view and run specific workflows +p, role:default/workflowUser, orchestrator.workflow.greeting, read, allow +p, role:default/workflowUser, orchestrator.workflow.use.greeting, update, allow + +# Support role - can view all workflows and instances, but not execute +p, role:default/workflowSupport, orchestrator.workflow, read, allow +p, role:default/workflowSupport, orchestrator.instanceAdminView, read, allow + +# Full admin role - complete access to all Orchestrator functions +p, role:default/workflowAdmin, orchestrator.workflow, read, allow +p, role:default/workflowAdmin, orchestrator.workflow.use, update, allow +p, role:default/workflowAdmin, orchestrator.workflowAdminView, read, allow +p, role:default/workflowAdmin, orchestrator.instanceAdminView, read, allow + +# Assign users to the roles +g, user:default/example_user, role:default/workflowUser +---- +. In your {product-very-short} `{my-app-config-file}` file, enable permissions by adding the `orchestrator` plugin to the `rbac` section and setting `policyFileReload` to `true`. ++ +[source,yaml,subs="+attributes,+quotes"] +---- +permission: + enabled: true + rbac: + policies-csv-file: + pluginsWithPermission: + - orchestrator + policyFileReload: true + admin: + users: + - name: user:default/YOUR_USER +---- +. Restart the application to apply the changes. + +.Verification +. Log in as a user assigned to the `workflowUser` role. +. Navigate to the Orchestrator plugin and verify that the workflow appears in the list. + +[IMPORTANT] +==== +You can view dynamic permissions containing a `workflowId` in the RBAC UI, but you cannot modify them in the interface. You must use the policy CSV file or the RBAC API to manage these specific workflow permissions. +==== + +[role="_additional-resources"] +.Additional resources +* link:https://www.casbin.org/docs/rbac[RBAC documentation]. \ No newline at end of file diff --git a/modules/orchestrator/ref-orchestrator-plugin-permissions.adoc b/modules/orchestrator/ref-orchestrator-plugin-permissions.adoc new file mode 100644 index 0000000000..ca2d9bcb80 --- /dev/null +++ b/modules/orchestrator/ref-orchestrator-plugin-permissions.adoc @@ -0,0 +1,70 @@ +:_mod-docs-content-type: REFERENCE + +[id="ref-orchestrator-plugin-permissions_{context}"] += Orchestrator plugin permissions + +The Orchestrator plugin uses the {product} permission mechanism and the Role-Based Access Control (RBAC) plugin to restrict access to backend endpoints. Orchestrator supports decoupling visibility (read) from running (update) using specific workflow IDs instead of generic permissions. + +[cols="20%,15%,15,50%", frame="all", options="header"] +|=== +|Permission name|Resource Type|Policy|Description + +|`orchestrator.workflow` +|named resource +|read +|Lists and reads all workflow definitions. + +Lists and reads their instances + +|`orchestrator.workflow.[workflowId]` +|named resource +|read +|Lists and reads a specific workflow definition. + +Lists and reads instances created for this particular workflow. + +|`orchestrator.workflow.use` +|named resource +|update +|Runs or aborts any workflow. + +|`orchestrator.workflow.use.[workflowId]` +|named resource +|update +|Runs or aborts a specific workflow. + +|`orchestrator.workflowAdminView` +|named resource +|read +|Views instance variables and the workflow definition editor. + +|`orchestrator.instanceAdminView` +|named resource +|read +|Views all workflow instances, including those created by other users. +|=== + +[WARNING] +==== +Generic permissions override specific denial policies within the same action type. To maintain granular control, avoid granting generic permissions if you intend to restrict specific workflows. + +* Granting `orchestrator.workflow` (read) prevents you from denying access to `orchestrator.workflow.[workflowId]` (read). +* Granting `orchestrator.workflow.use` (update) prevents you from denying access to `orchestrator.workflow.use.[workflowId]` (update). +==== + +The [`workflowId`] must match the unique identifier in your workflow definition file. For example, in the workflow definition below, the identifier is `greeting`: + +[source,yaml,subs="+attributes,+quotes"] +---- +id: greeting +version: '1.0' +specVersion: '0.8' +name: Greeting workflow +description: YAML based greeting workflow +annotations: + - 'workflow-type/infrastructure' +dataInputSchema: 'schemas/greeting.sw.input-schema.json' +extensions: + - extensionid: workflow-output-schema + outputSchema: schemas/workflow-output-schema.json +---- \ No newline at end of file