Manage ST4SD users
Manage the access rights of users in your ST4SD deployment on OpenShift.
- Give a group of users full access to the ST4SD namespace
- Give a group of users access to just the ST4SD microservices
- Role objects that ST4SD creates in its namespace
- Enable a namespace administrator to install ST4SD in a namespace
We recommend grouping your users based on their intended access level to your ST4SD deployment and then using a RoleBinding to configure the Role Based Access Control (RBAC) settings of the Group object.
Give a group of users full access to the ST4SD namespace
For example, if you wish to configure the RBAC of the users A and B so that they have full access to the ST4SD microservices and the objects in the same namespace. Put the following in a file called group-full-access.yaml:
kind: GroupapiVersion: user.openshift.io/v1metadata:name: st4sd-full-access-my-namespaceusers:- Account name of user A- Account name of user B
Then create the following file rolebinding-full-access.yaml:
kind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata:name: st4sd-full-access# modify this field if your namespace has a different namenamespace: st4sd-full-access-my-namespacesubjects:
Now, make sure that you:
- have replaced
my-namespacein the 2 files with the namespace that you deployed ST4SD in. - have written down the correct account name of your users.
- Login to your OpenShift Web Console as an Administrator.
- On the left pane expand the
User Managementmenu - Click on the
Usersentry - Locate the users
AandBin the list and copy the values that you find for them under theNamecolumn
Run oc create -f group-full-access.yaml && oc create -f rolebinding-full-access.yaml. The users A and B may now access your ST4SD instance.
Give a group of users access to just the ST4SD microservices
You may want to enable two users A and B to use the ST4SD microservices in the namespace my-namespace but be unable to interact with OpenShift in any meaningful way. In this case, put the following in a file called microservices-only.yaml:
kind: GroupapiVersion: user.openshift.io/v1metadata:# modify this field if your namespace has a different namename: st4sd-microservices-only-my-namespaceusers:- Account name of user A
Then create the following file rolebinding-microservices-only.yaml:
kind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata:name: st4sd-microservices-only# modify this field if your namespace has a different namenamespace: my-namespacesubjects:
Now, make sure that you:
- have replaced
my-namespacein the 2 files with the namespace that you deployed ST4SD in. - have written down the correct account name of your users.
- Login to your OpenShift Web Console as an Administrator.
- On the left pane expand the
User Managementmenu - Click on the
Usersentry - Locate the users
AandBin the list and copy the values that you find for them under theNamecolumn
Run oc create -f microservices-only.yaml && oc create -f rolebinding-microservices-only.yaml. The users A and B may now access your ST4SD instance.
Role objects that ST4SD creates in its namespace
Deployments of ST4SD on OpenShift contain:
- Several ST4SD Microservices (st4sd-runtime-service, st4sd-registry-ui, st4sd-datastore)
- The ST4SD Workflow Operator (st4sd-runtime-k8s)
- A Database backend (mongodb)
As a cluster administrator, you can install ST4SD multiple times on your cluster. Each ST4SD deployment is contained to a single namespace. Users of one ST4DS deployment do not necessarily have access to other deployments. The cluster administrator, configures the Role Based Access Control (RBAC) of users to configure which user can access which ST4SD instance.
Installing ST4D in a namespace creates the following 2 Role objects in the same namespace:
st4sd-authenticate-microservices: Assigning this role to a user enables them togetService objects in the same namespace as ST4SD. This is the minimum RBAC that a user requires to be able to authenticate to the ST4SD microservices. However, they do not get enough permissions to interact directly with the ST4SD Workflow Operator or other namespaced objects in the same OpenShift project.workflow-user: Assigning this role to a user enables them to authenticate against the ST4SD microservices. Additionally, it gives them Create Read Update Delete (CRUD) permissions to interact with namespaced objects in the same namespace. This includes the namespaced objects that the ST4SD workflow operator interacts with.
Enable a namespace administrator to install ST4SD in a namespace
We recommend that you appoint some of the users/administrators of the cluster to be administrator of namespaces that you deploy ST4SD in.
You may then assign a Kubernetes Role which enables just the administrators of a namespace to create/modify a ST4SD deployment.
For example, if your namespace is called my-namespace create the following file: admin-role.yaml
apiVersion: authorization.openshift.io/v1kind: Rolemetadata:name: st4sd-olm-permissions# modify this field if your namespace has a different namenamespace: my-namespacelabels:
Then create the role:
oc create -f admin-role.yaml
Next, create a group for your administrators by placing the following in the file admin-group.yaml:
kind: GroupapiVersion: user.openshift.io/v1metadata:# modify this field if your namespace has a different namename: st4sd-administrators-my-namespaceusers:- Account name of Administrator A
Then create the group:
oc create -f admin-group.yaml
Finally, assign the role to the group by creating the file admin-binding.yaml:
kind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata:name: st4sd-administrators-my-namespace# modify this field if your namespace has a different namenamespace: my-namespacesubjects:
Run:
oc create -f admin-binding.yaml
You can manage the ST4D administrators for the my-namespace namespace by changing the users of the Group object st4sd-administrators-my-namespace.