diff --git a/assemblies/assembly-configuring-authorization-in-rhdh.adoc b/assemblies/assembly-configuring-authorization-in-rhdh.adoc index 573e48d07a..70d970f799 100644 --- a/assemblies/assembly-configuring-authorization-in-rhdh.adoc +++ b/assemblies/assembly-configuring-authorization-in-rhdh.adoc @@ -36,17 +36,10 @@ include::assembly-managing-authorizations-by-using-the-rhdh-web-ui.adoc[leveloff include::assembly-managing-authorizations-by-using-the-rest-api.adoc[leveloffset=+1] -include::modules/authorization/ref-rbac-permission-policies.adoc[leveloffset=+1] - - -include::modules/authorization/con-rbac-config-permission-policies.adoc[leveloffset=+2] - +include::assembly-managing-authorizations-by-using-external-files.adoc[leveloffset=+1] -include::modules/authorization/con-rbac-config-permission-policies-external-file.adoc[leveloffset=+3] -include::modules/authorization/proc-mounting-the-policy-csv-file-using-the-operator.adoc[leveloffset=+4] - -include::modules/authorization/proc-mounting-the-policy-csv-file-using-helm.adoc[leveloffset=+4] +include::modules/authorization/ref-rbac-permission-policies.adoc[leveloffset=+1] include::modules/authorization/con-rbac-conditional-policies-rhdh.adoc[leveloffset=+1] @@ -55,9 +48,6 @@ include::modules/authorization/con-rbac-conditional-policies-rhdh.adoc[leveloffs include::modules/authorization/ref-rbac-conditional-policy-definition.adoc[leveloffset=+2] -include::modules/authorization/proc-rbac-config-conditional-policy-file.adoc[leveloffset=+2] - - include::modules/authorization/con-user-stats-rhdh.adoc[leveloffset=+1] diff --git a/assemblies/assembly-managing-authorizations-by-using-external-files.adoc b/assemblies/assembly-managing-authorizations-by-using-external-files.adoc new file mode 100644 index 0000000000..a6fbe8fe81 --- /dev/null +++ b/assemblies/assembly-managing-authorizations-by-using-external-files.adoc @@ -0,0 +1,10 @@ +[id='managing-authorizations-by-using-external-files'] += Managing authorizations by using external files + +To automate {product} maintenance, you can configure permissions and roles in external files, before starting {product-short}. + + +include::modules/authorization/proc-defining-authorizations-in-external-files-by-using-the-operator.adoc[leveloffset=+1] + +include::modules/authorization/proc-defining-authorizations-in-external-files-by-using-helm.adoc[leveloffset=+1] + diff --git a/assemblies/assembly-managing-authorizations-by-using-the-rhdh-web-ui.adoc b/assemblies/assembly-managing-authorizations-by-using-the-rhdh-web-ui.adoc index 88655ee776..8fab6a121b 100644 --- a/assemblies/assembly-managing-authorizations-by-using-the-rhdh-web-ui.adoc +++ b/assemblies/assembly-managing-authorizations-by-using-the-rhdh-web-ui.adoc @@ -1,4 +1,4 @@ -[id='proc-rbac-ui-manage-roles_{context}'] +[id='managing-authorizations-by-using-the-web-ui'] = Managing role-based access controls (RBAC) using the {product} Web UI Policy administrators can use the {product-short} web interface (Web UI) to allocate specific roles and permissions to individual users or groups. Allocating roles ensures that access to resources and functionalities is regulated across the {product-short}. diff --git a/modules/authorization/con-rbac-config-permission-policies-external-file.adoc b/modules/authorization/con-rbac-config-permission-policies-external-file.adoc deleted file mode 100644 index 6ef78a60c0..0000000000 --- a/modules/authorization/con-rbac-config-permission-policies-external-file.adoc +++ /dev/null @@ -1,66 +0,0 @@ -[id='con-rbac-config-permission-policies-external-file_{context}'] -= Configuration of permission policies defined in an external file - -You can configure the permission policies before starting the {product}. If permission policies are defined in an external file, then you can import the same file in the {product-short}. You must define the permission policies using the following Casbin rules format: - -[source,format] ---- -`p, , , , ` ---- - -You can define roles using the following Casbin rules format: - -[source,format] ---- -`g, , ` ---- - -[NOTE] -==== -For information about the Casbin rules format, see https://casbin.org/docs/category/the-basics[Basics of Casbin rules]. -==== - -The following is an example of permission policies configuration: - -[source,csv] ---- -`p, role:default/guests, catalog-entity, read, allow` - -`p, role:default/guests, catalog.entity.create, create, allow` - -`g, user:default/, role:default/guests` - -`g, group:default/, role:default/guests` ---- - -If a defined permission does not contain an action associated with it, then add `use` as a policy. See the following example: - -[source,csv] ---- -`p, role:default/guests, kubernetes.proxy, use, allow` ---- - -You can define the `policy.csv` file path in the `app-config.yaml` file: - -[source,yaml] ----- -permission: - enabled: true - rbac: - policies-csv-file: /some/path/rbac-policy.csv ----- - -You can use an optional configuration value that enables reloading the CSV file without restarting the {product-short} instance. - -Set the value of the `policyFileReload` option in the `app-config.yaml` file: - -[source,yaml] ----- -# ... -permission: - enabled: true - rbac: - policies-csv-file: /some/path/rbac-policy.csv - policyFileReload: true - # ... ----- diff --git a/modules/authorization/con-rbac-config-permission-policies.adoc b/modules/authorization/con-rbac-config-permission-policies.adoc deleted file mode 100644 index af03c52bba..0000000000 --- a/modules/authorization/con-rbac-config-permission-policies.adoc +++ /dev/null @@ -1,7 +0,0 @@ -[id='con-rbac-config-permission-policies_{context}'] -= Permission policies configuration - -There are two approaches to configure the permission policies in {product}, including: - -* Configuration of permission policies administrators -* Configuration of permission policies defined in an external file diff --git a/modules/authorization/proc-defining-authorizations-in-external-files-by-using-helm.adoc b/modules/authorization/proc-defining-authorizations-in-external-files-by-using-helm.adoc new file mode 100644 index 0000000000..0f5f9e96f1 --- /dev/null +++ b/modules/authorization/proc-defining-authorizations-in-external-files-by-using-helm.adoc @@ -0,0 +1,105 @@ +[id='defining-authorizations-in-external-files-by-using-helm'] += Defining authorizations in external files by using Helm + +To automate {product} maintenance, you can define permissions and roles in external files, before starting {product-short}. +You need to prepare your files, upload them to your {ocp-short} project, +and configure {product-short} to use the external files. + +.Prerequisites +* xref:enabling-and-giving-access-to-rbac[You enabled the RBAC feature]. + +.Procedure +. Define your policies in a `rbac-policies.csv` CSV file by using the following format: + +.. Define role permissions: ++ +[source,csv,subs="+quotes"] +---- +p, __, __, __, __ +---- + +__:: +Role entity reference, such as: `role:default/guest`. + +__:: +Permission, such as: `bulk.import`, `catalog.entity.read`, or `catalog.entity.refresh`, or permission resource type, such as: `bulk-import` or `catalog-entity`. ++ +See: xref:ref-rbac-permission-policies_{context}[Permission policies reference]. +__:: +Action type, such as: `use`, `read`, `create`, `update`, `delete`. + +__:: +Access granted: `allow` or `deny`. + +.. Assign the role to a group or a user: ++ +[source,csv,subs="+quotes"] +---- +g, __, __ +---- + +__:: +Group, such as: `user:default/mygroup`, or user, such as: `user:default/myuser`. ++ +.Sample `rbac-policies.csv` +[source,csv,subs="+quotes"] +---- +p, role:default/guests, catalog-entity, read, allow +p, role:default/guests, catalog.entity.create, create, allow +g, user:default/my-user, role:default/guests +g, group:default/my-group, role:default/guests +---- + +. Define your conditional policies in a `rbac-conditional-policies.yaml` YAML file by using the following format: ++ +[source,yaml,subs="+quotes"] +---- +result: CONDITIONAL +roleEntityRef: __ +pluginId: __ +permissionMapping: + - read + - update + - delete +conditions: __ +---- ++ +See: xref:ref-rbac-conditional-policy-definition_{context}[Conditional policies reference]. + +. Upload your `rbac-policies.csv` and `rbac-conditional-policies.yaml` files to a `rbac-policies` config map in your {ocp-short} project containing {product-short}. ++ +[source,terminal] +---- +$ oc create configmap rbac-policies \ + --from-file=rbac-policies.csv \ + --from-file=rbac-conditional-policies.yaml +---- + +. Update your {product-short} `Backstage` Helm chart to mount in the {product-short} filesystem your files from the `rbac-policies` config map: + +.. In the {product-short} Helm Chart, go to *Root Schema -> Backstage chart schema -> Backstage parameters -> Backstage container additional volume mounts*. + +.. Select *Add Backstage container additional volume mounts* and add the following values: + +mountPath:: `/opt/app-root/src` +Name:: `rbac-policies` + +.. Add the RBAC policy to the *Backstage container additional volumes* in the {product-short} Helm Chart: + +name:: `rbac-policies` +configMap:: +defaultMode::: `420` +name::: `rbac-policies` + +. Update your {product-short} `app-config.yaml` configuration file to use the `rbac-policies.csv` and `rbac-conditional-policies.yaml` external files: ++ +.`app-config.yml` fragment +[source,yaml] +---- +permission: + enabled: true + rbac: + conditionalPoliciesFile: /opt/app-root/src/rbac-conditional-policies.yaml + policies-csv-file: /opt/app-root/src/rbac-policies.csv + policyFileReload: true +---- diff --git a/modules/authorization/proc-defining-authorizations-in-external-files-by-using-the-operator.adoc b/modules/authorization/proc-defining-authorizations-in-external-files-by-using-the-operator.adoc new file mode 100644 index 0000000000..d4ad3db5d5 --- /dev/null +++ b/modules/authorization/proc-defining-authorizations-in-external-files-by-using-the-operator.adoc @@ -0,0 +1,104 @@ +[id='defining-authorizations-in-external-files-by-using-the-operator'] += Defining authorizations in external files by using the operator + +To automate {product} maintenance, you can define permissions and roles in external files, before starting {product-short}. +You need to prepare your files, upload them to your {ocp-short} project, +and configure {product-short} to use the external files. + +.Prerequisites +* xref:enabling-and-giving-access-to-rbac[You enabled the RBAC feature]. + +.Procedure +. Define your policies in a `rbac-policies.csv` CSV file by using the following format: + +.. Define role permissions: ++ +[source,csv,subs="+quotes"] +---- +p, __, __, __, __ +---- + +__:: +Role entity reference, such as: `role:default/guest`. + +__:: +Permission, such as: `bulk.import`, `catalog.entity.read`, or `catalog.entity.refresh`, or permission resource type, such as: `bulk-import` or `catalog-entity`. ++ +See: xref:ref-rbac-permission-policies_{context}[Permission policies reference]. +__:: +Action type, such as: `use`, `read`, `create`, `update`, `delete`. + +__:: +Access granted: `allow` or `deny`. + +.. Assign the role to a group or a user: ++ +[source,csv,subs="+quotes"] +---- +g, __, __ +---- + +__:: +Group, such as: `user:default/mygroup`, or user, such as: `user:default/myuser`. ++ +.Sample `rbac-policies.csv` +[source,csv,subs="+quotes"] +---- +p, role:default/guests, catalog-entity, read, allow +p, role:default/guests, catalog.entity.create, create, allow +g, user:default/my-user, role:default/guests +g, group:default/my-group, role:default/guests +---- + +. Define your conditional policies in a `rbac-conditional-policies.yaml` YAML file by using the following format: ++ +[source,yaml,subs="+quotes"] +---- +result: CONDITIONAL +roleEntityRef: __ +pluginId: __ +permissionMapping: + - read + - update + - delete +conditions: __ +---- ++ +See: xref:ref-rbac-conditional-policy-definition_{context}[Conditional policies reference]. + +. Upload your `rbac-policies.csv` and `rbac-conditional-policies.yaml` files to a `rbac-policies` config map in your {ocp-short} project containing {product-short}. ++ +[source,terminal] +---- +$ oc create configmap rbac-policies \ + --from-file=rbac-policies.csv \ + --from-file=rbac-conditional-policies.yaml +---- + +. Update your {product-short} `Backstage` custom resource to mount in the {product-short} filesystem your files from the `rbac-policies` config map: ++ +.`Backstage` Custom resource fragment +[source,yaml] +---- +apiVersion: rhdh.redhat.com/v1alpha1 +kind: Backstage +spec: + application: + extraFiles: + mountPath: /opt/app-root/src + configMaps: + - name: rbac-policies +---- + +. Update your {product-short} `app-config.yaml` configuration file to use the `rbac-policies.csv` and `rbac-conditional-policies.yaml` external files: ++ +.`app-config.yml` fragment +[source,yaml] +---- +permission: + enabled: true + rbac: + conditionalPoliciesFile: /opt/app-root/src/rbac-conditional-policies.yaml + policies-csv-file: /opt/app-root/src/rbac-policies.csv + policyFileReload: true +---- diff --git a/modules/authorization/proc-mounting-the-policy-csv-file-using-helm.adoc b/modules/authorization/proc-mounting-the-policy-csv-file-using-helm.adoc deleted file mode 100644 index 1d75250ea7..0000000000 --- a/modules/authorization/proc-mounting-the-policy-csv-file-using-helm.adoc +++ /dev/null @@ -1,66 +0,0 @@ -[id='proc-mounting-the-policy-csv-file-using-helm_{context}'] -= Mounting `policy.csv` file to the {product-short} Helm chart - -When the {product} is deployed with the Helm chart, you must define the `policy.csv` file by mounting it to the {product-short} Helm chart. - -You can add your `policy.csv` file to the {product-short} Helm Chart by creating a `configMap` and mounting it. - -.Prerequisites - -* You are logged in to your {ocp-short} account using the {ocp-short} web console. -* {product} is installed and deployed using Helm Chart. -+ -//For more information about installing the {product} on {ocp-short} using Helm Chart, see xref:proc-install-rhdh-ocp-helm_{context}[]. -//replace with a link to the installation guide. - -.Procedure - -. In {ocp-short}, create a ConfigMap to hold the policies as shown in the following example: -+ --- -.Example `ConfigMap` -[source,yaml] ----- -kind: ConfigMap -apiVersion: v1 -metadata: - name: rbac-policy - namespace: rhdh -data: - rbac-policy.csv: | - p, role:default/guests, catalog-entity, read, allow - p, role:default/guests, catalog.entity.create, create, allow - - g, user:default/, role:default/guests ----- --- - -. In the {product-short} Helm Chart, go to *Root Schema -> Backstage chart schema -> Backstage parameters -> Backstage container additional volume mounts*. -. Select *Add Backstage container additional volume mounts* and add the following values: -+ --- -* *mountPath*: `opt/app-root/src/rbac` -* *Name*: `rbac-policy` --- - -. Add the RBAC policy to the *Backstage container additional volumes* in the {product-short} Helm Chart: -+ --- -* *name*: `rbac-policy` -* *configMap* -** *defaultMode*: `420` -** *name*: `rbac-policy` --- - -. Update the policy path in the `app-config.yaml` file as follows: -+ --- -.Example `app-config.yaml` file -[source,yaml] ----- -permission: - enabled: true - rbac: - policies-csv-file: ./rbac/rbac-policy.csv ----- --- diff --git a/modules/authorization/proc-mounting-the-policy-csv-file-using-the-operator.adoc b/modules/authorization/proc-mounting-the-policy-csv-file-using-the-operator.adoc deleted file mode 100644 index 617d41a187..0000000000 --- a/modules/authorization/proc-mounting-the-policy-csv-file-using-the-operator.adoc +++ /dev/null @@ -1,84 +0,0 @@ -[id='proc-mounting-the-policy-csv-file-using-the-operator_{context}'] -= Mounting `policy.csv` file using the {product-short} Operator - -When the {product} is deployed with the Operator, you can add your `policy.csv` file using the {product-short} Operator by creating a `ConfigMap` and mounting it through your Custom Resource (CR). - -.Prerequisites - -* You are logged in to your {ocp-short} account using the {ocp-short} web console. -* {product} is installed and deployed using the Operator. -* You have added a custom configuration file to {ocp-short}. For more information, see link:{LinkAdminGuide}[Adding a custom configuration file to {ocp-short}]. -+ -//For more information about installing the {product} on {ocp-short} using the Operator, see xref:proc-install-rhdh-ocp-operator_{context}[]. -//replace with a link to the installation guide. - -.Procedure - -. In {ocp-short}, create a ConfigMap to hold the policies as shown in the following example: -+ --- -.Example `ConfigMap` -[source,yaml] ----- -kind: ConfigMap -apiVersion: v1 -metadata: - name: rbac-policy -data: - rbac-policy.csv: | - p, role:default/guests, catalog-entity, read, allow - p, role:default/guests, catalog.entity.create, create, allow - - g, user:default/, role:default/guests ----- --- - -. Update the policy path in your custom `app-config.yaml` ConfigMap as follows: -+ --- -.Example `app-config.yaml` file -[source,yaml] ----- -permission: - enabled: true - rbac: - policies-csv-file: ./rbac-policy.csv ----- --- - -. From the *Developer* perspective in the {ocp-short} web console, select the *Topology* view. -. Click the overflow menu for the {product} instance that you want to use and select *Edit Backstage* to load the YAML view of the {product} instance. -. In the CR, enter the name of the custom `rbac-policy` ConfigMap as the value for the `spec.application.extraFiles.configMaps` field. For example: -+ -.Example custom resource -[source, yaml] ----- -apiVersion: rhdh.redhat.com/v1alpha1 -kind: Backstage -metadata: - name: example -spec: - application: - appConfig: - mountPath: /opt/app-root/src - configMaps: - - name: app-config-rhdh - extraEnvs: - secrets: - - name: secrets-rhdh - extraFiles: - mountPath: /opt/app-root/src - configMaps: - - name: rbac-policy - replicas: 1 - route: - enabled: true - database: - enableLocalDb: true ----- -. Click *Save*. - -.Verification - -. Navigate back to the *Topology* view and wait for the {product} pod to start. -. Click the *Open URL* icon to access the {product} platform with the updated configuration settings. diff --git a/modules/authorization/proc-rbac-config-conditional-policy-file.adoc b/modules/authorization/proc-rbac-config-conditional-policy-file.adoc deleted file mode 100644 index 07c611bb2d..0000000000 --- a/modules/authorization/proc-rbac-config-conditional-policy-file.adoc +++ /dev/null @@ -1,166 +0,0 @@ -[id='proc-rbac-config-conditional-policy-file_{context}'] -= Configuring conditional policies defined in an external file - -You can configure and manage conditional policies that are defined in an external file. To define conditional policies, you can directly edit the configuration files and pass them to {product-short}, instead of using the {product-short} web UI or API. You can configure {product-short} to use these files instead of the default files. - -.Prerequisites -* You are logged in to your {ocp-short} account using the {ocp-short} web console. -* You have defined roles and associated policies in a CSV file that serves as a basis for creating roles and permissions. Ensure that you mount the CSV file to {product-short}. -+ -For more information, see xref:ref-rbac-conditional-policy-definition_title-authorization[Conditional policies definition] and xref:con-rbac-config-permission-policies-external-file_title-authorization[Configuration of permission policies defined in an external file]. - -.Procedure - -. Define conditional policies in a YAML file, which includes role references, permission mappings, and conditions. -+ --- -The following is an example of a YAML file defining conditional policies: - -.Example YAML file defining conditional policies -[source,yaml] ----- ---- -result: CONDITIONAL -roleEntityRef: 'role:default/test' -pluginId: catalog -resourceType: catalog-entity -permissionMapping: - - read - - update -conditions: - rule: IS_ENTITY_OWNER - resourceType: catalog-entity - params: - claims: - - 'group:default/team-a' - - 'group:default/team-b' ---- -result: CONDITIONAL -roleEntityRef: 'role:default/test' -pluginId: catalog -resourceType: catalog-entity -permissionMapping: - - delete -conditions: - rule: IS_ENTITY_OWNER - resourceType: catalog-entity - params: - claims: - - 'group:default/team-a' ----- --- -. In {ocp-short}, create a ConfigMap to hold the policies as shown in the following example: -+ --- -.Example ConfigMap -[source, yaml] ----- -kind: ConfigMap -apiVersion: v1 -metadata: - name: rbac-conditional-policy - namespace: rhdh -data: - rbac-policy.yaml: | - p, role:default/guests, catalog-entity, read, allow - - result: CONDITIONAL - roleEntityRef: 'role:default/test' - pluginId: catalog - resourceType: catalog-entity - permissionMapping: - - read - - update - conditions: - rule: IS_ENTITY_OWNER - resourceType: catalog-entity - params: - claims: - - 'group:default/team-a' - - 'group:default/team-b' ----- --- - -. Open `app-config.yaml` file and specify the path to `conditionalPoliciesFile` as shown in the following example: -+ --- -.Example `app-config.yaml` file -[source,yaml] ----- -permission: - enabled: true - rbac: - conditionalPoliciesFile: /some/path/conditional-policies.yaml ----- --- - -. To enable automatic reloading of the policy file without restarting the application, add the `policyFileReload` option and set it to `true`: -+ --- -.Example `app-config.yaml` file -[source,yaml] ----- -permission: - enabled: true - rbac: - conditionalPoliciesFile: /some/path/conditional-policies.yaml - policies-csv-file: /some/path/rbac-policy.csv - policyFileReload: true ----- --- - -. Optional: Define nested conditional policies in the YAML file as needed. -+ --- -.Example for nested conditional policies -[source,yaml] ----- -{ - "result": "CONDITIONAL", - "roleEntityRef": "role:default/developer", - "pluginId": "catalog", - "resourceType": "catalog-entity", - "permissionMapping": ["delete"], - "conditions": { - "allOf": [ - { - "anyOf": [ - { - "rule": "IS_ENTITY_KIND", - "resourceType": "catalog-entity", - "params": { - "kinds": [ - "group" - ] - } - }, - { - "rule": "IS_ENTITY_OWNER", - "resourceType": "catalog-entity", - "params": { - "claims": [ - "$ownerRefs" - ] - } - } - ] - }, - { - "not": { - "rule": "IS_ENTITY_KIND", - "resourceType": "catalog-entity", - "params": { - "kinds": [ - "api" - ] - } - } - } - ] -} -} ----- - -In the previous example, the `role:default/developer` is granted the condition to delete catalog entities only if they are the entity owner or if the catalog entity belongs to a group. However, this condition does not apply if the catalog entity is an API. --- - diff --git a/modules/authorization/ref-rbac-conditional-policy-definition.adoc b/modules/authorization/ref-rbac-conditional-policy-definition.adoc index 464e6486f5..e684c01986 100644 --- a/modules/authorization/ref-rbac-conditional-policy-definition.adoc +++ b/modules/authorization/ref-rbac-conditional-policy-definition.adoc @@ -1,5 +1,5 @@ [id='ref-rbac-conditional-policy-definition_{context}'] -= Conditional policies definition += Conditional policies reference You can access API endpoints for conditional policies in {product}. For example, to retrieve the available conditional rules, which can help you define these policies, you can access the `GET [api/plugins/condition-rules]` endpoint. diff --git a/modules/authorization/ref-rbac-permission-policies.adoc b/modules/authorization/ref-rbac-permission-policies.adoc index 275b6e0f77..90f614157c 100644 --- a/modules/authorization/ref-rbac-permission-policies.adoc +++ b/modules/authorization/ref-rbac-permission-policies.adoc @@ -1,5 +1,5 @@ [id='ref-rbac-permission-policies_{context}'] -= Permission policies in {product} += Permission policies reference Permission policies in {product} are a set of rules to govern access to resources or functionalities. These policies state the authorization level that is granted to users based on their roles. The permission policies are implemented to maintain security and confidentiality within a given environment. @@ -31,10 +31,11 @@ p, role:default/myrole, catalog.entity.create, create, allow g, user:default/myuser, role:default/myrole ---- -The following permission policies are supported in the {product-short}: +{product-short} supports following permission policies: Catalog permissions:: +.Catalog permissions [cols="15%,25%,15%,45%", frame="all", options="header"] |=== |Name @@ -44,42 +45,43 @@ Catalog permissions:: |`catalog.entity.read` |`catalog-entity` -|read +|`read` |Allows user or role to read from the catalog |`catalog.entity.create` | -|create +|`create` |Allows user or role to create catalog entities, including registering an existing component in the catalog |`catalog.entity.refresh` |`catalog-entity` -|update +|`update` |Allows user or role to refresh a single or multiple entities from the catalog |`catalog.entity.delete` |`catalog-entity` -|delete +|`delete` |Allows user or role to delete a single or multiple entities from the catalog |`catalog.location.read` | -|read +|`read` |Allows user or role to read a single or multiple locations from the catalog |`catalog.location.create` | -|create +|`create` |Allows user or role to create locations within the catalog |`catalog.location.delete` | -|delete +|`delete` |Allows user or role to delete locations from the catalog |=== Bulk import permissions:: +.Bulk import permissions [cols="15%,25%,15%,45%", frame="all", options="header"] |=== |Name @@ -89,13 +91,14 @@ Bulk import permissions:: |`bulk.import` |`bulk-import` -| +|`use` |Allows the user to access the bulk import endpoints, such as listing all repositories and organizations accessible by all GitHub integrations and managing the import requests. |=== Scaffolder permissions:: +.Scaffolder permissions [cols="15%,25%,15%,45%", frame="all", options="header"] |=== |Name @@ -105,37 +108,38 @@ Scaffolder permissions:: |`scaffolder.action.execute` |`scaffolder-action` -| +|`use` |Allows the execution of an action from a template |`scaffolder.template.parameter.read` |`scaffolder-template` -|read +|`read` |Allows user or role to read a single or multiple one parameters from a template |`scaffolder.template.step.read` |`scaffolder-template` -|read +|`read` |Allows user or role to read a single or multiple steps from a template |`scaffolder.task.create` | -|create +|`create` |Allows the user or role to trigger software templates which create new scaffolder tasks |`scaffolder.task.cancel` | -| +|`use` |Allows the user or role to cancel currently running scaffolder tasks |`scaffolder.task.read` | -|read +|`read` |Allows user or role to read all scaffolder tasks and their associated events and logs |=== RBAC permissions:: +.RBAC permissions [cols="15%,25%,15%,45%", frame="all", options="header"] |=== |Name @@ -145,27 +149,28 @@ RBAC permissions:: |`policy.entity.read` |`policy-entity` -|read +|`read` |Allows user or role to read permission policies and roles |`policy.entity.create` |`policy-entity` -|create +|`create` |Allows user or role to create a single or multiple permission policies and roles |`policy.entity.update` |`policy-entity` -|update +|`update` |Allows user or role to update a single or multiple permission policies and roles |`policy.entity.delete` |`policy-entity` -|delete +|`delete` |Allows user or role to delete a single or multiple permission policies and roles |=== Kubernetes permissions:: +.Kubernetes permissions [cols="15%,25%,15%,45%", frame="all", options="header"] |=== |Name @@ -175,7 +180,7 @@ Kubernetes permissions:: |`kubernetes.proxy` | -| +|`use` |Allows user or role to access the proxy endpoint |=== @@ -212,17 +217,18 @@ conditions: |`ocm.entity.read` | -|read +|`read` |Allows user or role to read from the OCM plugin |`ocm.cluster.read` | -|read +|`read` |Allows user or role to read the cluster information in the OCM plugin |=== Topology permissions:: +.Topology permissions [cols="15%,25%,15%,45%", frame="all", options="header"] |=== |Name @@ -232,11 +238,11 @@ Topology permissions:: |`topology.view.read` | -|read +|`read` |Allows user or role to view the topology plugin |`kubernetes.proxy` | -| +|`use` |Allows user or role to access the proxy endpoint, allowing them to read pod logs and events within {product-very-short} |===