Role
Role
is a named collection of permissions that can be assigned to
any user or team in the system. The set of actions that can be
performed by a user, such as the ability to create, delete, or
update configuration will depend on the permissions associated with
the user's role. Roles are global resources that are defined
once. AccessBindings
in each configuration group will bind a user
to a specific role defined apriori.
TSB comes with the following predefined roles:
Role | Permissions | Description |
---|---|---|
rbac/admin | * | Grants full access to the target resource and its child objects |
rbac/editor | Read Write Create | Grants read/write access to a resource and allows creating child resources |
rbac/creator | Read Create | Useful to delegate access to a resource without giving write access to the object itself. Users with this role will be able to manage sub-resources but not the resource itself |
rbac/writer | Read Write | Grants Read and Write access permissions |
rbac/reader | Read | Grants read-only permissions to a resource |
The following example declares a custom workspace-admin
role with
the ability to create, delete configurations and the ability to set
RBAC policies on the groups within the workspace.
apiVersion: rbac.tsb.tetrate.io/v2
kind: Role
metadata:
name: role1
spec:
rules:
- types:
- apiGroup: api.tsb.tetrate.io/v2
kinds:
- WorkspaceSetting
permissions:
- CREATE
- READ
- DELETE
- WRITE
- SET_POLICY
Role
Role
is a named collection of permissions that can be assigned to
any user or team in the system.
Field | Description | Validation Rule |
rules | List of tetrateio.api.tsb.rbac.v2.Role.Rule | repeated = { |
ResourceType
The type of API resource for which the role is being created.
Field | Description | Validation Rule |
apiGroup | string | string = { |
kinds | List of string | – |
Rule
A rule defines the set of api groups
Field | Description | Validation Rule |
types | List of tetrateio.api.tsb.rbac.v2.Role.ResourceType | repeated = { |
permissions | List of tetrateio.api.tsb.rbac.v2.Permission | repeated = { |