configure role permissions

kaitlynmichael · kaitlynmichael · commit 0770b4d56cf8 · 2025-07-07T11:48:15.000-05:00
diff --git a/content/operate/kubernetes/active-active/global-config.md b/content/operate/kubernetes/active-active/global-config.md
@@ -48,7 +48,6 @@ The [REAADB API reference]({{<relref "/operate/kubernetes/reference/redis_enterp
 
 This section edits the secrets under the REAADB `.spec.globalConfigurations` section. For more information and all available fields, see the [REAADB API reference]({{<relref "/operate/kubernetes/reference/redis_enterprise_active_active_database_api">}}).
 
-
 1. On an existing participating cluster, generate a YAML file containing the database secret with the relevant data.
 
     This example shoes a secret named `my-db-secret` with the password `my-password` encoded in base 64.
@@ -87,7 +86,7 @@ This section edits the secrets under the REAADB `.spec.globalConfigurations` sec
 
 1. On each other participating cluster, check the secret status.
 
-    ``sh
+    ```sh
     kubectl get reaadb <reaadb-name> -o=jsonpath='{.status.secretsStatus}'
     ```
 
@@ -103,4 +102,87 @@ This section edits the secrets under the REAADB `.spec.globalConfigurations` sec
     kubectl apply -f <db-secret-file>
     ```
 
-1. Repeat the previous two steps on every participating cluster.
+1. Repeat the previous two steps on every participating cluster.
+
+## Configure role permissions
+
+You can configure role-based access control (RBAC) permissions for Active-Active databases using the `rolesPermissions` field in the REAADB `.spec.globalConfigurations` section. The role permissions configuration is propagated across all participating clusters, but the underlying roles and Redis ACLs must be manually created on each cluster.
+
+{{<note>}}You must manually create the specified roles and Redis ACLs on all participating clusters before configuring role permissions. The operator only propagates the role permissions configuration—it does not create the underlying roles and ACLs. If roles or ACLs are missing on any cluster, the operator will log errors until they are manually created.{{</note>}}
+
+### Prerequisites
+
+Before configuring role permissions:
+
+1. Manually create the required roles and Redis ACLs on all participating clusters using the Redis Enterprise admin console or REST API.
+2. Ensure role and ACL names match exactly across all clusters (names are case-sensitive).
+3. Verify that roles and ACLs are properly configured on each cluster.
+
+{{<warning>}}The operator does not automatically create or synchronize roles and ACLs across clusters. You are responsible for manually creating identical roles and ACLs on each participating cluster.{{</warning>}}
+
+### Add role permissions to REAADB
+
+1. Create or update your REAADB custom resource to include `rolesPermissions` in the global configurations.
+
+    Example REAADB with role permissions:
+
+    ```yaml
+    apiVersion: app.redislabs.com/v1alpha1
+    kind: RedisEnterpriseActiveActiveDatabase
+    metadata:
+      name: reaadb-boeing
+    spec:
+      globalConfigurations:
+        databaseSecretName: <my-secret>
+        memorySize: 200MB
+        shardCount: 3
+        rolesPermissions:
+          - role: <role-name>
+            acl: <acl-name>
+            type: redis-acl
+      participatingClusters:
+        - name: rerc-ohare
+        - name: rerc-reagan
+    ```
+
+    Replace `<role-name>` and `<acl-name>` with the exact names of your Redis Enterprise role and ACL.
+
+2. Apply the REAADB custom resource:
+
+    ```sh
+    kubectl apply -f <reaadb-file>
+    ```
+
+    Alternatively, patch an existing REAADB to add role permissions:
+
+    ```sh
+    kubectl patch reaadb <reaadb-name> --type merge --patch \
+    '{"spec": {"globalConfigurations": {"rolesPermissions": [{"role": "<role-name>", "acl": "<acl-name>", "type": "redis-acl"}]}}}'
+    ```
+
+3. Verify the REAADB status shows `active` and `Valid`:
+
+    ```sh
+    kubectl get reaadb <reaadb-name>
+
+    NAME             STATUS   SPEC STATUS   GLOBAL CONFIGURATIONS REDB   LINKED REDBS
+    reaadb-boeing   active   Valid
+    ```
+
+4. Check the operator logs to confirm role permissions are applied:
+
+    ```sh
+    kubectl logs -l name=redis-enterprise-operator
+    ```
+
+    Look for log messages indicating "patching local BDB roles permissions" on each participating cluster.
+
+### Troubleshooting role permissions
+
+If you encounter issues with role permissions:
+
+- **Missing role or ACL errors**: Manually create the specified roles and ACLs on all participating clusters with exact name matches. The operator cannot create these automatically.
+- **Permission propagation failures**: Verify that the roles and ACLs are properly configured and accessible on each cluster. Remember that you must manually create identical roles and ACLs on every participating cluster.
+- **Case sensitivity issues**: Verify that role and ACL names match exactly, including capitalization, across all clusters.
+
+For more details on the `rolesPermissions` field structure, see the [REAADB API reference]({{<relref "/operate/kubernetes/reference/redis_enterprise_active_active_database_api#specglobalconfigurationsrolespermissions">}}).
