Manage user roles through the Container Cloud web UI¶
If you are assigned the global-admin
role, you can manage the
IAM*RoleBinding
objects through the Container Cloud web UI. The possibility
to manage project role bindings using the operator
role will become
available in one of the following Container Cloud releases.
To add or remove a role binding using the Container Cloud web UI:
Log in to the Container Cloud web UI as
global-admin
.In the left-side navigation panel, click Users to open the active users list and view the number and types of bindings for each user. Click on a user name to open the details page with the user Role Bindings.
Select from the following options:
To add a new binding:
Click Create Role Binding.
In the window that opens, configure the following fields:
Parameter
Description
Role
global-admin
Manage all types of role bindings for all users
management-admin
Since MCC 2.25.0 (17.0.0 and 16.0.0)Have full access to the management cluster
bm-pool-operator
Manage bare metal hosts of a particular namespace
operator
Manage Container Cloud API and Ceph-related objects in a particular project, create clusters and machines, have full access to Kubernetes clusters and StackLight APIs deployed by anyone in this project
Manage role bindings in the current namespace for users who require the
bm-pool-operator
,operator
, oruser
role
user
Manage infrastructure of a particular project with access to live statuses of the project cluster machines to monitor cluster health
cluster-admin
Have admin access to Kubernetes clusters and StackLight components of a particular cluster and project
stacklight-admin
Have admin access to the StackLight components of a particular Kubernetes cluster deployed in a particular project to monitor the cluster health.
Binding type
- Global
Bind a role globally, not limited to a specific project or cluster. By default,
global-admin
has the global binding type.You can bind any role globally. For example, you can change the default project binding of the
operator
role to apply this role globally, to all existing and new projects.
- Project
Bind a role to a specific project. If selected, also define the Project name that the binding is assigned to.
By default, the following IAM roles have the project binding type:
bm-pool-operator
,operator
, anduser
. You can bind any role to a project except theglobal-admin
one.
- Cluster
Bind a role to a specific cluster. If selected, also define the Project and Cluster name that the binding is assigned to. You can bind only the
cluster-admin
andstacklight-admin
roles to a cluster.
To remove a binding, click the Delete action icon located in the last column of the required role binding.
Bindings that have the
external
flag set totrue
will be synced back from Keycloak during the nextuser-controller
reconciliation. Therefore, manage such bindings through Keycloak.