Okay, second question that came up was about granularity of RBAC controls.
I’m going to re-phrase the question a bit but the gist is:
can you setup RBAC to give access to edit specific checks or just the check command across multiple checks,
The answer is a partial yes. Yes you can give granular control to edit a single resource such as a check, but no, you can’t setup a role that you can only grant editting to specific attributes of a resource.
So the be clear:
YES: you can construct a role to limit editting of an existing check resource
NO: you cannot construct a role to limit editting of just check command attribute inside check resources
And as Caleb mentioned in the webinar. there’s some thought being put into extended the RBAC rules to allow for label selection, so you can more easily group resources under a role so that you don’t have to explicitly list each resource. Stay tuned on that.
In the meantime want to show everyone an example of an RBAC configuration that can be used to edit an existing check.
First I’m going to create a user named ‘limited-user’
sensuctl user create limited-user --interactive
Now I want to create a a dedicated role snd role-binding that will allow this user to only edit the check named
- name: limited-user
Now if you configure sensuctl for
limited-user the limited-user won’t be able to list the checks but they will be able to see the
test-check and edit it
sensuctl config view
=== Active Configuration
API URL: http://carbon:8080
JWT Expiration Timestamp: 1587075805
sensuctl check list
Error: unauthorized to perform action
sensuctl check info test-check
Command: echo "this is a limited test"
Proxy Entity Name:
I can also use
sensuctl edit check test-check to interactively update the check or use the API.
You can further expand on that role by adding rules to open up more of the api. Specifically, its a good idea to give users the ability to list all the checks, which will help with the web-ui. But I wanted to give you an example of an extremely locked down RBAC rule that gives access to edit exactly a single check to an example of using Sensu RBAC at the most granular level. But because the Sensu Role allows for multiple rules it’s easy to start with a viewer role that has the necessary get and list verbs for all resources in place and then add additional rules to grant specific resource editting rules like above.