|
1 | | -.. _tcm_access_control: |
| 1 | +.. _tcm_access_control_rbac: |
2 | 2 |
|
3 | | -Access control |
4 | | -============== |
| 3 | +Role-based access control |
| 4 | +========================= |
5 | 5 |
|
6 | | -.. include:: index.rst |
| 6 | +.. include:: ../index.rst |
7 | 7 | :start-after: ee_note_tcm_start |
8 | 8 | :end-before: ee_note_tcm_end |
9 | 9 |
|
@@ -57,7 +57,7 @@ There are two types of permissions in |tcm|: *administrative* and *cluster* perm |
57 | 57 | Cluster permissions are assigned to users individually when creating or editing them. |
58 | 58 |
|
59 | 59 | For a fine-grained control over user access to particular spaces and functions stored |
60 | | - in clusters, there is the :ref:`access control list <tcm_access_control_acl>`. |
| 60 | + in clusters, there is the :ref:`access control list <tcm_access_control_list>`. |
61 | 61 |
|
62 | 62 | Permissions are predefined in |tcm|, there is no way to change, add, or delete them. |
63 | 63 | The complete lists of administrative and cluster permissions in |tcm| are provided |
@@ -259,145 +259,6 @@ There are the following password policy settings: |
259 | 259 | - **Digits (0-9)** |
260 | 260 | - **Symbols (such as !@#$%^&\*()_+№"':,.;=][{}`?>/.)** |
261 | 261 |
|
262 | | -.. _tcm_access_control_acl: |
263 | | - |
264 | | -Access control list |
265 | | -------------------- |
266 | | - |
267 | | -|tcm|'s *access control list* (*ACL*) determines user access to particular data |
268 | | -and functions stored in clusters. You can use it to allow or deny access to specific |
269 | | -stored objects one by one. |
270 | | - |
271 | | -Each ACL entry specifies privileges that a |tcm| user has on a particular |
272 | | -space or a function. There are three access privileges that can be granted in the ACL: |
273 | | -read, write, and execute (for stored functions only). The privileges work as follows: |
274 | | - |
275 | | -- Spaces: |
276 | | - |
277 | | - - ``Read``: the user sees the space and its tuples on the **Tuples** and **Explorer** pages |
278 | | - - ``Write``: the user can add new and edit existing tuples of the space |
279 | | - |
280 | | -- Functions: |
281 | | - |
282 | | - - ``Read``: the user sees the function on the **Functions** tab of the instance details page. |
283 | | - - ``Write``: the user can edit or delete the function |
284 | | - - ``Execute``: the user can call the function |
285 | | - |
286 | | -.. important:: |
287 | | - |
288 | | - User access to space data and stored functions is primarily defined by the |
289 | | - :ref:`cluster permissions <tcm_access_control_permissions_cluster>` ``cluster.space.data.*`` and ``cluster.func.*``. |
290 | | - ACL only increases the access control granularity to particular objects. |
291 | | - Make sure that users have these permissions before enabling ACL for them. |
292 | | - |
293 | | -.. _tcm_access_control_acl_enable: |
294 | | - |
295 | | -Enabling ACL for a user |
296 | | -~~~~~~~~~~~~~~~~~~~~~~~ |
297 | | - |
298 | | -To granularly manage a user's access to particular objects in a cluster, enable |
299 | | -the use of ACL in the user profile: |
300 | | - |
301 | | -#. Go to **Users** and click **Edit** in the **Actions** menu of the corresponding table row. |
302 | | - |
303 | | -#. In the user's **Clusters** list, add a cluster on which you want to use ACL |
304 | | - or click the pencil icon if the cluster is already on the list. |
305 | | - |
306 | | -#. Select the **Use Access Control List (ACL)** checkbox and save changes. |
307 | | - |
308 | | -#. Repeat two previous steps for each cluster on which you want to use ACL for this user. |
309 | | - |
310 | | -#. Click **Update** to save the user account. |
311 | | - |
312 | | -If the user doesn't exist yet, you can do the same when creating it. |
313 | | - |
314 | | -.. important:: |
315 | | - |
316 | | - When ACL use is enabled for a user, this user loses access to all spaces and |
317 | | - functions of the selected cluster except the ones explicitly specified in the ACL. |
318 | | - |
319 | | -.. _tcm_access_control_acl_manage: |
320 | | - |
321 | | -Managing ACL |
322 | | -~~~~~~~~~~~~ |
323 | | - |
324 | | -The tools for managing ACL are located on the **ACL** page. |
325 | | - |
326 | | -To add an ACL entry: |
327 | | - |
328 | | -#. Click **Add**. |
329 | | -#. Select a user to which you want to grant access. |
330 | | -#. Select a cluster that stores the target object: a space or a function. |
331 | | -#. Select the target object type and enter its name. |
332 | | -#. Select the privileges you want to grant. |
333 | | - |
334 | | -To delete an ACL entry, click **Delete** in the **Actions** menu of the corresponding table row. |
335 | | - |
336 | | -.. _tcm_access_control_sessions: |
337 | | - |
338 | | -Sessions |
339 | | --------- |
340 | | - |
341 | | -Administrators can view and revoke user sessions in |tcm|. All active sessions |
342 | | -are listed on the **Sessions** page. To revoke a session, click **Revoke** in the |
343 | | -**Actions** menu of the corresponding table row. |
344 | | - |
345 | | -To revoke all sessions of a user, go to **Users** and click **Revoke all sessions** |
346 | | -in the **Actions** menu of the corresponding table row. |
347 | | - |
348 | | -.. _tcm_access_control_api_tokens: |
349 | | - |
350 | | -API tokens |
351 | | ----------- |
352 | | - |
353 | | -|tcm| uses the Bearer HTTP authentication scheme with *API tokens* to authenticate |
354 | | -external applications' requests to |tcm|. For example, these can be Prometheus |
355 | | -jobs that retrieve metrics of connected Tarantool clusters. |
356 | | - |
357 | | -The API tokens functionality is disabled by default. To enable it, set the |
358 | | -:ref:`feature.api-token <tcm_configuration_reference_feature_api-token>` configuration option to ``true``. |
359 | | - |
360 | | -.. code-block:: yaml |
361 | | -
|
362 | | - feature: |
363 | | - api-token: true |
364 | | -
|
365 | | -Each |tcm| API token belongs to the user that created it and has the same :ref:`access permissions <tcm_access_control_permissions>`. |
366 | | -Thus, if a user has a permission to view a cluster's metrics in |tcm|, this user's |
367 | | -API tokens can be used to read this cluster's metrics with Prometheus. |
368 | | - |
369 | | -API tokens have expiration dates that are set during the token creation and cannot |
370 | | -be changed. |
371 | | - |
372 | | -.. _tcm_access_control_api_tokens_manage: |
373 | | - |
374 | | -Managing API tokens |
375 | | -~~~~~~~~~~~~~~~~~~~ |
376 | | - |
377 | | -.. note:: |
378 | | - |
379 | | - Each user, including **Default Admin** and other administrators, can create only |
380 | | - their own tokens. There is no way to create a token for another user. |
381 | | - |
382 | | -To create a |tcm| API token: |
383 | | - |
384 | | -#. Open the user settings by clicking the user's name in the top-right corner. |
385 | | -#. Go to the **API tokens** tab and click **Add**. |
386 | | -#. Specify the token expiration date and an optional description and click **Add**. |
387 | | - |
388 | | -The created token is shown in a dialog. |
389 | | - |
390 | | -.. important:: |
391 | | - |
392 | | - An API token is shown only once after its creation. There is no way to view |
393 | | - it again after you close the dialog. Make sure to copy the token in a safe place. |
394 | | - |
395 | | -To delete an API token, click **Delete** in the actions menu of the corresponding |
396 | | -**API tokens** table row. |
397 | | - |
398 | | -Administrators can also view information about users' API tokens and delete them |
399 | | -on the **Secrets** page. To open a user's secrets, click **Secrets** in the **Actions** |
400 | | -menu of the corresponding **Users** table row. |
401 | 262 |
|
402 | 263 | .. _tcm_access_control_permissions_ref: |
403 | 264 |
|
|
0 commit comments