Skip to content

Authorization

With Role-Based Access Control (RBAC) you can manage MKE 4k user permissions by assigning access rights based on predefined roles, rather than granting individual users specific permissions. Each role, whether one of the provided default roles or a custom role you create, is associated with certain privileges, and thus ensures that users can only access the information and perform actions that are necessary for their role. This structure makes administration significantly more efficient while also enhancing MKE 4k system security.

Role Structure#

A role structure is created that uses organizations and teams. Permissions are assigned to organizations through grants, after which users or groups are placed within the various structure roles.

Accounts API#

In MKE 4k, an accounts API is provided to interact with Kubernetes RBAC objects. This allows the API to manage organizations, teams, and permissions in a way that is consistent with Kubernetes best practices while simplifying the process for the user.

The diagram that follows illustrates the accounts API function using a simple role structure. Particular points that apply include:

  • The organization Mirantis has the Permission: view granted to it, meaning that teams, groups, and members therein all have the view permission.
  • The Dev team has the Permission: edit grant in addition to the Permission: view grant, meaning that everything within that team has the edit permission.
  • The QA and Prod teams both have individual users
graph TD
    %% --- Define Subgraphs for layout ---
    subgraph "Grants"
        RoleView("Permission: view")
        RoleEdit("Permission: edit")
    end

    subgraph "Roles"
        Org("Org: Mirantis")
        TeamDev("Team: Dev")
        TeamQA("Team:QA")
        TeamProd("Team: Prod")
    end

    subgraph "Groups"
        G1("Group: engineers")
    end

    subgraph "Users/Members"
        U1("User: Alice")
        U2("User: Bob")
        U3("User: Charlie")
    end

    %% --- Relationships ---
    %% Org Structure
    Org --> TeamDev
    Org --> TeamQA
    Org --> TeamProd

    %% Grants
    RoleView --> Org
    RoleEdit --> TeamDev

    %% Memberships (Top-Down Flow)
    TeamDev --> G1
    TeamQA --> U1
    TeamQA --> U2
    TeamProd --> U3

    %% --- Styles ---
    %% Darker Style with professional borders
    style Org fill:#2E8B57,stroke:#0a2e4c,stroke-width:2px,color:#000
    style TeamDev fill:#3CB371,stroke:#0a2e4c,stroke-width:2px,color:#000
    style TeamQA fill:#3CB371,stroke:#0a2e4c,stroke-width:2px,color:#000
    style TeamProd fill:#3CB371,stroke:#0a2e4c,stroke-width:2px,color:#000
    style RoleView fill:#E9967A,stroke:#0a2e4c,stroke-width:2px,color:#000
    style RoleEdit fill:#E9967A,stroke:#0a2e4c,stroke-width:2px,color:#000
    style G1 fill:#9370DB,stroke:#0a2e4c,stroke-width:2px,color:#000
    style U1 fill:#66b5ff,stroke:#0a2e4c,stroke-width:2px,color:#000
    style U2 fill:#66b5ff,stroke:#0a2e4c,stroke-width:2px,color:#000
    style U3 fill:#66b5ff,stroke:#0a2e4c,stroke-width:2px,color:#000

    %% Style the grant links to be Mirantis blue
    linkStyle 3 stroke:#007bff,stroke-width:2px
    linkStyle 4 stroke:#007bff,stroke-width:2px
    %% Style the membership links to be red
    linkStyle 5 stroke:#dc3545,stroke-width:2px
    linkStyle 6 stroke:#dc3545,stroke-width:2px
    linkStyle 7 stroke:#dc3545,stroke-width:2px
    linkStyle 8 stroke:#dc3545,stroke-width:2px