Configuring Permissions
Before you get started, make sure you:
✓ Familiarize yourself with TSB concepts
✓ Install the TSB demo environment
✓ Deploy the Istio Bookinfo sample app
✓ Create a Tenant
✓ Create a Workspace
✓ Create Config Groups
In this scenario, you will use the different AccessBindings
to configure two
access policies:
- A policy that grants a team full access to a Workspace. The members of the
team will be able to create and fully manage the resources in that Workspace,
but won’t be able to modify the Workspace object itself. This is achieved by
using the
Creator
role. - A policy that grants a specific user write permissions to a Group. The user
will be able to modify the settings for that group and its contained
configuration objects but won’t be able to create new resources or delete the
existing ones. This is achieved by using the
Writer
role.
Using the UI
- Under Tenant on the left panel, select Workspaces.
- Click the desired Workspace to access its details page.
- Click the Policy tab.
- To see the list of teams, select the By Teams option.
- The list of existing teams will appear.
- Scroll to the desired one and click the Edit icon on the right.
- Select the
Creator
role. - Click the Save Changes button at the bottom right.
To grant write permissions to a user to a specific config group, repeat the same process for the Group:
- Navigate to the Group’s Policy tab.
- Use the By Users view to find the desired User.
- Click the Edit icon and select the
Writer
role. - Click the Save Changes button at the bottom right
Using tctl
Create the following access-policy.yaml
file with the
WorkspaceAccessBinding and the
TrafficAccessBinding objects:
apiVersion: rbac.tsb.tetrate.io/v2
kind: WorkspaceAccessBindings
metadata:
organization: tetrate
tenant: tetrate
workspace: bookinfo-ws
spec:
allow:
- role: rbac/creator
subjects:
# Change the name of the team to the desired one
- team: organizations/tetrate/teams/application-team
---
apiVersion: rbac.tsb.tetrate.io/v2
kind: TrafficAccessBindings
metadata:
organization: tetrate
tenant: tetrate
workspace: bookinfo-ws
group: bookinfo-traffic
spec:
allow:
- role: rbac/writer
subjects:
# Change the name of the user to the desired one
- user: organizations/tetrate/users/group-user
Apply with tctl
:
tctl apply -f access-policy.yaml