Managing cluster users and roles in TCM (#4423)

p7nov · andreyaksenov · web-flow · commit b2748f646d23 · 2024-08-13T11:22:09.000+07:00
Resolves #4317 Co-authored-by: Andrey Aksenov <38073144+andreyaksenov@users.noreply.github.com>
diff --git a/doc/tooling/tcm/index.rst b/doc/tooling/tcm/index.rst
@@ -38,9 +38,7 @@ to read data. LDAP authorization is supported as well.
 
     tcm_ui_overview
     tcm_connect_clusters
-    tcm_cluster_config
-    tcm_cluster_monitoring
-    tcm_cluster_metrics
+    tcm_cluster_management/index
     tcm_cluster_data_access
     tcm_access_control
     tcm_audit_log
diff --git a/doc/tooling/tcm/tcm_cluster_management/index.rst b/doc/tooling/tcm/tcm_cluster_management/index.rst
@@ -0,0 +1,20 @@
+.. _tcm_cluster_management:
+
+Cluster management
+==================
+
+..  include:: ../index.rst
+    :start-after: ee_note_tcm_start
+    :end-before: ee_note_tcm_end
+
+The main goal of |tcm_full_name| is to provide visual tools for managing
+various aspects of Tarantool clusters from the browser. See the pages of this section
+to learn how to perform various management operations on Tarantool clusters from |tcm|.
+
+..  toctree::
+    :maxdepth: 1
+
+    tcm_cluster_state
+    tcm_cluster_config
+    tcm_cluster_users
+    tcm_cluster_metrics
diff --git a/doc/tooling/tcm/tcm_cluster_management/tcm_cluster_config.rst b/doc/tooling/tcm/tcm_cluster_management/tcm_cluster_config.rst
@@ -3,7 +3,7 @@
 Configuring clusters
 ====================
 
-..  include:: index.rst
+..  include:: ../index.rst
     :start-after: ee_note_tcm_start
     :end-before: ee_note_tcm_end
 
diff --git a/doc/tooling/tcm/tcm_cluster_management/tcm_cluster_metrics.rst b/doc/tooling/tcm/tcm_cluster_management/tcm_cluster_metrics.rst
@@ -3,7 +3,7 @@
 Viewing cluster metrics
 =======================
 
-..  include:: index.rst
+..  include:: ../index.rst
     :start-after: ee_note_tcm_start
     :end-before: ee_note_tcm_end
 
diff --git a/doc/tooling/tcm/tcm_cluster_management/tcm_cluster_state.rst b/doc/tooling/tcm/tcm_cluster_management/tcm_cluster_state.rst
@@ -1,9 +1,13 @@
-..  _tcm_cluster_monitoring:
+..  _tcm_cluster_state:
 
-Cluster monitoring
-==================
+Viewing cluster state
+=====================
 
-|tcm_full_name| provides means for monitoring various aspects of connected clusters,
+..  include:: ../index.rst
+    :start-after: ee_note_tcm_start
+    :end-before: ee_note_tcm_end
+
+|tcm_full_name| provides a visual interface for checking various aspects of connected clusters,
 such as:
 
 *   topology
@@ -12,17 +16,17 @@ such as:
 *   data distribution
 *   Tarantool versions
 
-Cluster monitoring tools are available on the **Cluster** > **Stateboard** page.
+Cluster state information is available on the **Cluster** > **Stateboard** page.
 
-..  _tcm_cluster_monitoring_topology:
+..  _tcm_cluster_state_topology:
 
 Cluster topology
 ----------------
 
 The cluster topology is displayed on the **Stateboard** page in one of two forms:
 a list or a graph.
 
-..  _tcm_cluster_monitoring_topology_list:
+..  _tcm_cluster_state_topology_list:
 
 List view
 ~~~~~~~~~
@@ -37,7 +41,7 @@ to filter the instances with the selected versions and states.
 
 To switch to the list view, click the list button on the right of the search bar on the **Stateboard** page.
 
-..  _tcm_cluster_monitoring_topology_graph:
+..  _tcm_cluster_state_topology_graph:
 
 Graph view
 ~~~~~~~~~~
@@ -49,7 +53,7 @@ which is helpful for larger clusters.
 
 To switch to the graph view, click the graph button on the right of the search bar on the **Stateboard** page.
 
-..  _tcm_cluster_monitoring_topology_group:
+..  _tcm_cluster_state_topology_group:
 
 Instance grouping
 ~~~~~~~~~~~~~~~~~
@@ -66,7 +70,7 @@ you see if issues happen in a specific data center or server.
 To change the instance grouping, click **Group by** in the **Actions** menu on the **Stateboard** page.
 Then add or remove grouping criteria.
 
-..  _tcm_cluster_monitoring_topology_filters:
+..  _tcm_cluster_state_topology_filters:
 
 Filtering
 ~~~~~~~~~
@@ -81,7 +85,7 @@ at the top. It has predefined filters that select:
 
 To display all instances, delete the filter applied in the search bar.
 
-..  _tcm_cluster_monitoring_instance_details:
+..  _tcm_cluster_state_instance_details:
 
 Instance details
 ----------------
@@ -104,10 +108,10 @@ find:
 Additionally, on the instance details page there is a terminal in which you can execute
 arbitrary Lua code on the instance.
 
-..  _tcm_cluster_monitoring_urls:
+..  _tcm_cluster_state_urls:
 
-Additional monitoring services
-------------------------------
+Linked external services
+------------------------
 
 When you :ref:`connect a cluster <tcm_connect_clusters>` to |tcm|, you can specify
 URLs of external services linked to this cluster. For example, this can be a Grafana
diff --git a/doc/tooling/tcm/tcm_cluster_management/tcm_cluster_users.rst b/doc/tooling/tcm/tcm_cluster_management/tcm_cluster_users.rst
@@ -0,0 +1,88 @@
+..  _tcm_cluster_users:
+
+Managing cluster users and roles
+================================
+
+..  include:: ../index.rst
+    :start-after: ee_note_tcm_start
+    :end-before: ee_note_tcm_end
+
+|tcm_full_name| provides a visual interface for managing Tarantool users and roles
+on connected clusters.
+
+.. note::
+
+    This page describes management of :ref:`Tarantool users and roles <access_control>`
+    on instances of connected clusters. To learn to manage |tcm| users, see :ref:`tcm_access_control`.
+
+The :ref:`Tarantool access model <access_control>` defines user access to entities
+inside a single instance. Thus, to create or alter a cluster-wide user or role, you need to
+do this on all cluster instances. In replication clusters, changes in access model
+are possible only on read-write instances (replica set leaders). Changes made on
+a leader instance are propagated to all instances of its replica set automatically.
+
+Operations on the cluster access model are possible only if the :ref:`user <tcm_connect_clusters_parameters_tarantool>`
+that |tcm| uses to connect to the cluster has the privileges to manage users and roles.
+
+You can also manage Tarantool users and roles from |tcm| using the Lua API
+as described in :ref:`access_control`. To do this, connect to instance consoles
+from the **Terminal** tab of the instance page.
+
+..  _tcm_cluster_users_users:
+
+Managing cluster users
+----------------------
+
+The tools for managing cluster users are located on the **Users** tab
+of the :ref:`instance page <tcm_ui_instance>`.
+
+.. important::
+
+    To ensure the access model consistency across the cluster, repeat all user
+    management operations on all read-write instances of the cluster.
+
+To create a user on a cluster:
+
+#.  Go to **Stateboard**.
+#.  Find a replica set leader in the instances list and click it to open the instance page.
+#.  Go to the **Users** tab and click **Add user**.
+
+To edit or delete a user, click the **Edit** or **Delete** button against the username
+in the **Users** table.
+
+To edit a user's privileges:
+
+#.  Click the lock icon against the username in the **Users** table.
+#.  In the privileges dialog:
+
+    -   Click **Add** to grant privileges
+    -   Click **Revoke** (the trash bin icon) to revoke a privilege
+
+..  _tcm_cluster_users_roles:
+
+Managing cluster roles
+----------------------
+
+The tools for managing cluster roles are located on the **Users** tab
+of the :ref:`instance page <tcm_ui_instance>`.
+
+.. important::
+
+    To ensure the access model consistency across the cluster, repeat all role
+    management operations on all read-write instances of the cluster.
+
+To create a role on a cluster:
+
+#.  Go to **Stateboard**.
+#.  Find a replica set leader in the instances list and click it to open the instance page.
+#.  Go to the **Users** tab and click **Add role**.
+
+To delete a role, click the **Delete** button against the role name in the **Roles** table.
+
+To edit a role's privileges:
+
+#.  Click the lock icon against the role name in the **Roles** table.
+#.  In the privileges dialog:
+
+    -   Click **Add** to grant privileges
+    -   Click **Revoke** (the trash bin icon) to revoke a privilege
diff --git a/doc/tooling/tcm/tcm_connect_clusters.rst b/doc/tooling/tcm/tcm_connect_clusters.rst
@@ -32,6 +32,8 @@ Connection parameters
 When connecting a cluster to |tcm|, you need to provide two sets of connection parameters:
 for the cluster instances and for the centralized configuration storage.
 
+..  _tcm_connect_clusters_parameters_storage:
+
 Configuration storage connection
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -50,6 +52,8 @@ provide the corresponding encryption configuration: keys, certificates, and othe
 parameters. For the complete list of parameters, consult the `etcd documentation <https://etcd.io/docs/v3.5/op-guide/configuration/#security>`__
 or Tarantool :ref:`enterprise-iproto-encryption`.
 
+..  _tcm_connect_clusters_parameters_tarantool:
+
 Cluster connection
 ~~~~~~~~~~~~~~~~~~
 
diff --git a/doc/tooling/tcm/tcm_releases/tcm_1.0.rst b/doc/tooling/tcm/tcm_releases/tcm_1.0.rst
@@ -39,7 +39,7 @@ the selected cluster:
 From the stateboard, you can navigate to specific instances to view their details
 or connect to their interactive consoles.
 
-To learn more, see :ref:`tcm_cluster_monitoring`.
+To learn more, see :ref:`tcm_cluster_state`.
 
 .. _tcm_releases_1_0_config:
 
diff --git a/doc/tooling/tcm/tcm_releases/tcm_1.2.rst b/doc/tooling/tcm/tcm_releases/tcm_1.2.rst
@@ -24,7 +24,7 @@ cluster through the |tcm| web interface.
 The tools for managing Tarantool users on a cluster instance are located on the
 **Users** tab of the instance page.
 
-Learn more about Tarantool access model in :ref:`access_control`.
+Learn more about managing Tarantool users from |tcm| in :ref:`tcm_cluster_users`.
 
 .. _tcm_releases_1_2_migrations:
 
diff --git a/doc/tooling/tcm/tcm_ui_overview.rst b/doc/tooling/tcm/tcm_ui_overview.rst
@@ -124,7 +124,7 @@ On this page, you can:
     by clicking instance names in the cluster topology list
 -   start and stop instances (in the development mode).
 
-Learn more about using the cluster stateboard in :ref:`tcm_cluster_monitoring`.
+Learn more about using the cluster stateboard in :ref:`tcm_cluster_state`.
 
 ..  _tcm_ui_instance:
 
@@ -144,7 +144,8 @@ It provides a set of tabs for performing actions on the selected Tarantool insta
     or as a console output of ``box.cfg``, ``box.info``, and other built-in functions
 -   **SQL** and **Terminal** tabs: run SQL and Lua commands on the instance
 -   **Logs** tab: view instance logs
--   **Slab stats** tab: view :ref:`slab allocator <memtx-memory>` statistics
+-   **Slabs** tab: view :ref:`slab allocator <memtx-memory>` statistics
+-   **Users** tab: manage Tarantool :ref:`users and roles <tcm_cluster_users>` on the instance
 -   **Funcs**: manage and call stored functions
 -   **Metrics**: view instance metrics
 
