我的书签
添加书签
移除书签Managing users and permissions
Starting with tsuru 0.13.0 a new mechanism for managing users and permissionswas introduced. This new mechanism allows for fine-grained control on whichactions are available for each user. While at the same time trying to allowbroad permissions avoiding the need for interaction every time a new permissionis available.
To achieve this goal some concepts will be explained below.
Concepts
Permissions
tsuru includes a fixed number of permissions that may change on each release.To list all available permissions the command tsuru permission-list shouldbe used.
Permissions in tsuru work in a hierarchical fashion and are typicallyrepresented using a dot notation. Granting access to a top-level permissionimply access to all permissions below it.
As an example, consider the following permissions:
app.update.env.setapp.update.env.unsetapp.deploy
If a user have access only toapp.update.env.setonly this specific actionis available to them. However, it’s also possible to grant access to the broaderapp.updatepermission which will allow users to both set and unsetenvironment variables, but not deploy the applications. If we want to allow auser to execute all actions related to an application, the even broaderpermissionappcan be used.
Contexts
When applying permissions to a user one do so in regard to a context. Eachpermission declares which contexts can be used and it’s possible see theavailable contexts using the command tsuru permission-list. When apermission is assigned to a user it needs a context and a value for the chosencontext. Examples of available contexts are:
teamappglobal
If a user have theapp.deploypermission for theteamnamedmyteamit means that they can only deploy applications whichmyteamhas access. Thesame way, it’s possible to assign the sameapp.deploypermission to a userwith the contextappfor one application namedmyappname. This means theuser can now deploy this specific application calledmyappname.
The global context is a special case. It’s available to all permissions andmeans that the permission always applies. In the previous scenario, if a userhave the app.deploy permission with a global context it means that theycan deploy any application.
Roles
To better manage permissions it’s not possible to directly assign permissions tousers. First you have to create a role including wanted permissions and thenapply this role in regard to a context value to one or more users.
The following commands are available to manage roles and permissions and assignthem to users:
tsuru permission-listtsuru role-addtsuru role-removetsuru role-listtsuru role-permission-addtsuru role-permission-removetsuru role-assigntsuru role-dissociatetsuru role-info
More details about each command can be found in the client documentation.
An example of the typical scenario for adding a new role and assigning it to auser is the following:
- $ tsuru role-add app_reader_restarter team
- Role successfully created!
- $ tsuru role-list
- +----------------------+---------+-------------+
- | Role | Context | Permissions |
- +----------------------+---------+-------------+
- | AllowAll | global | * |
- +----------------------+---------+-------------+
- | app_reader_restarter | team | |
- +----------------------+---------+-------------+
- $ tsuru role-permission-add app_reader_restarter app.read app.update.restart
- Permission successfully added!
- $ tsuru role-list
- +----------------------+---------+--------------------+
- | Role | Context | Permissions |
- +----------------------+---------+--------------------+
- | AllowAll | global | * |
- +----------------------+---------+--------------------+
- | app_reader_restarter | team | app.read |
- | | | app.update.restart |
- +----------------------+---------+--------------------+
- $ tsuru user-list
- +-------------------+------------------+-------------+
- | User | Roles | Permissions |
- +-------------------+------------------+-------------+
- | admin@example.com | AllowAll(global) | *(global) |
- +-------------------+------------------+-------------+
- | myuser@corp.com | | |
- +-------------------+------------------+-------------+
- $ tsuru role-assign app_reader_restarter myuser@corp.com myteamname
- Role successfully assigned!
- $ tsuru user-list
- +-------------------+---------------------------------------+-------------------------------------+
- | User | Roles | Permissions |
- +-------------------+---------------------------------------+-------------------------------------+
- | admin@example.com | AllowAll(global) | *(global) |
- +-------------------+---------------------------------------+-------------------------------------+
- | myuser@corp.com | app_reader_restarter(team myteamname) | app.read(team myteamname) |
- | | | app.update.restart(team myteamname) |
- +-------------------+---------------------------------------+-------------------------------------+
From this moment the user named myuser@corp.com can read and restart allapplications belonging to the team named myteamname.
Default roles
It’s possible to have default roles that are applied to a user when some eventhappens on tsuru. Example of such events are user-create andteam-create. A list of all possible events can be found running the commandtsuru role-default-list. Commands tsuru role-default-add and tsuru should be used to include or remove new roles in an event.
role-default-remove
A common use for default roles would be replicating the behavior of tsuru onversions prior to 0.13.0. A new user would always be allowed to create a newteam and would also be allowed to create new applications on the newly createdteam.
To achieve this with default roles first two roles need to be created, let’scall them team-creator and team-member. team-creator would use theglobal context and include the team.create permission. team-memberwould use the team context and include the app permission.
With these roles created we only need to add them as default on the appropriateevent:
- $ tsuru role-default-add --user-create team-creator --team-create team-member
Adding members to a team
When managing teams, It’s very common to add new members to a team or add membersto a new team. To do this on Tsuru you’ll need to use role-assign command, asfollows:
- $ tsuru role-assign <role> <user@email.com> <team>
Migrating
When you already have an existing tsuru installation it will be necessary tocreate roles and assign them to all existing users, otherwise they will nolonger be able to execute any action in tsuru.
To make this process easier we created a migration to help with the transition.The goal of this migration is to roughly give all existing users the same set ofpermissions they already had on tsuru. To accomplish this it’ll create 3different roles: admin, team-member and team-creator.
The admin role will have a global context for the root permission and willbe assigned to all users that are members to the admin-team described intsuru.conf file. This users will be able to do anything, anywhere.
The team-member role will have a team context and the followingpermissions:
appteamservice-instance
And will be assigned to all users for each team name the user is a member of.
The team-creator role will only include the team.create permission witha global context and will also be assigned to all users.
Also the role team-creator will be assigned as a default role when a newuser is created. And the team-member role will be the default role assignedto a user when they create a new team.
Running this migration is optional. If you choose execute it simply run:
- $ tsurud [--config <path to tsuru.conf>] migrate --name migrate-roles
Bootstrapping
For a new tsuru installation the first user created should have a role with aroot permission. To create this user a new command was created in the tsurudaemon application (tsurud) and should be executed right after itsinstallation:
- $ tsurud [--config <path to tsuru.conf>] root-user-create myemail@somewhere.com
- # type a password and confirmation (only if using native auth scheme)
原文: https://docs.tsuru.io/1.6/managing/users-and-permissions.html
