-
Notifications
You must be signed in to change notification settings - Fork 0
Working with Rapyuta.io RBAC
In version v4.2.1 of the CLI, we added the support for Rapyuta.io RBAC. This wiki elaborates on the usage of the feature.
Rapyuta.io supports two RBAC roles namely, admin and viewer. Before the feature was rolled out, all users were granted the admin role by default. Hence, if you view the roles of the existing users today, you may see that most of them are admins.
There are two ways a user can gain access to any project
- they are either directly added to the project
- they are part of a user group that has access to the project
With that, we can say that a user may be an admin or viewer in a project, or, a user group may be an admin or viewer in a project and by that relation, all members of that group either become admin or viewer in a project. Hence
- We can update the project resource to modify user or group roles associated with it
- We can update user group resources to update their role in a project
Both operations are supported via the rio apply command and are entirely declarative in nature.
Currently, we have a limitation that only the organization owner and the project owner have the right to update a project. This may change in the future where we improve the overall RBAC in the product.
At the user group level, we have a couple of more roles, i.e. group_admin and group_member. If you are in the admins list, then you can modify the user group via the rio apply command.
In order to use the rio apply command, you will require manifests for projects or user groups. The rio explain project or rio explain usergroup command will print examples for you to refer. Else, you can also refer existing projects and groups.
The following commands will print usable manifests that you can update and apply.
rio project inspect {PROJECT_NAME}
rio usergroup inspect {USERGROUP_NAME}