From 34d0377aa3f4b5e98c3780b71a34e160d21b922a Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Fri, 1 Dec 2023 14:17:57 +0100 Subject: [PATCH 1/8] feat: Advanced authorization Signed-off-by: Anatolii Bazko --- modules/administration-guide/nav.adoc | 1 + .../configuring-advanced-authorization.adoc | 49 +++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 modules/administration-guide/pages/configuring-advanced-authorization.adoc diff --git a/modules/administration-guide/nav.adoc b/modules/administration-guide/nav.adoc index b1312d9fae..c2f27baae0 100644 --- a/modules/administration-guide/nav.adoc +++ b/modules/administration-guide/nav.adoc @@ -73,6 +73,7 @@ **** xref:configuring-oauth-1-for-a-bitbucket-server.adoc[] **** xref:configuring-oauth-2-for-microsoft-azure-devops-services.adoc[] *** xref:configuring-cluster-roles-for-users.adoc[] +*** xref:configuring-advanced-authorization.adoc[] *** xref:removing-user-data-in-compliance-with-the-gdpr.adoc[] * xref:managing-ide-extensions.adoc[] ** xref:extensions-for-microsoft-visual-studio-code-open-source.adoc[] diff --git a/modules/administration-guide/pages/configuring-advanced-authorization.adoc b/modules/administration-guide/pages/configuring-advanced-authorization.adoc new file mode 100644 index 0000000000..b24eedfb32 --- /dev/null +++ b/modules/administration-guide/pages/configuring-advanced-authorization.adoc @@ -0,0 +1,49 @@ +:_content-type: PROCEDURE +:description: Configuring advanced authorization +:keywords: authorization, user, group +:navtitle: Configuring advanced authorization +// :page-aliases: + +[id="configuring-advanced-authorization"] += Configuring advanced authorization + +You can determine which users and groups are allowed to access {prod-short}. + +.Prerequisites + +* An active `{orch-cli}` session with administrative permissions to the destination {orch-name} cluster. See {orch-cli-link}. + +.Procedure + +. Configure the `CheCluster` Custom Resource. See xref:using-the-cli-to-configure-the-checluster-custom-resource.adoc[]. ++ +[source,yaml,subs="+quotes,+attributes"] +---- +spec: + networking: + auth: + advancedAuthorization: + allowUsers: + - ____ <1> + allowGroups: + - ____ <2> + denyUsers: + - ____ <3> + denyGroups: + - ____ <4> +---- +<1> List of users allowed to access {prod}. +<2> List of groups of users allowed to access {prod} (for {ocp} only). +<3> List of users denied access to {prod}. +<4> List of groups of users denied to access {prod} (for {ocp} only). ++ +To allow a user to access {prod-short}, add him to the `allowUsers` list or a group where he is member of to `allowGroups` list. +To deny a user to access {prod-short}, add him to the `denyUsers` list or a group where he is member of to `denyGroups` list. +If user is in both `allow` and `deny` lists, then he is denied access to {prod-short}. ++ +If `allowUsers` and `allowGroups` are empty, then all users are allowed to access {prod-short} except ones from `deny` lists. +if `denyUsers` and `denyGroups` are empty, then only users from `allow` lists are allowed to access {prod-short}. ++ +If `allow` and `deny` lists are empty, then all users are allowed to access {prod-short}. + +. Wait for the rollout of the {prod-short} server components to be completed. From f2968ad132171c8b2fd2c2d8c7ae67bca9104a80 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Fri, 1 Dec 2023 15:35:28 +0100 Subject: [PATCH 2/8] Update modules/administration-guide/pages/configuring-advanced-authorization.adoc Co-authored-by: Jana Vrbkova --- .../pages/configuring-advanced-authorization.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/configuring-advanced-authorization.adoc b/modules/administration-guide/pages/configuring-advanced-authorization.adoc index b24eedfb32..19090e1511 100644 --- a/modules/administration-guide/pages/configuring-advanced-authorization.adoc +++ b/modules/administration-guide/pages/configuring-advanced-authorization.adoc @@ -37,7 +37,7 @@ spec: <3> List of users denied access to {prod}. <4> List of groups of users denied to access {prod} (for {ocp} only). + -To allow a user to access {prod-short}, add him to the `allowUsers` list or a group where he is member of to `allowGroups` list. +To allow a user to access {prod-short}, add them to the `allowUsers` list. Alternatively, choose a group the user is a member of and add the group to the `allowGroups` list. To deny a user to access {prod-short}, add him to the `denyUsers` list or a group where he is member of to `denyGroups` list. If user is in both `allow` and `deny` lists, then he is denied access to {prod-short}. + From a265611f8db145494cc1539a394366c983a6dff4 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Fri, 1 Dec 2023 15:35:33 +0100 Subject: [PATCH 3/8] Update modules/administration-guide/pages/configuring-advanced-authorization.adoc Co-authored-by: Jana Vrbkova --- .../pages/configuring-advanced-authorization.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/configuring-advanced-authorization.adoc b/modules/administration-guide/pages/configuring-advanced-authorization.adoc index 19090e1511..39638476bf 100644 --- a/modules/administration-guide/pages/configuring-advanced-authorization.adoc +++ b/modules/administration-guide/pages/configuring-advanced-authorization.adoc @@ -39,7 +39,7 @@ spec: + To allow a user to access {prod-short}, add them to the `allowUsers` list. Alternatively, choose a group the user is a member of and add the group to the `allowGroups` list. To deny a user to access {prod-short}, add him to the `denyUsers` list or a group where he is member of to `denyGroups` list. -If user is in both `allow` and `deny` lists, then he is denied access to {prod-short}. +If the user is on both `allow` and `deny` lists, they are denied access to {prod-short}. + If `allowUsers` and `allowGroups` are empty, then all users are allowed to access {prod-short} except ones from `deny` lists. if `denyUsers` and `denyGroups` are empty, then only users from `allow` lists are allowed to access {prod-short}. From 86353f81573eb98bd2a7aed23b3657b8b0a11e26 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Fri, 1 Dec 2023 15:35:38 +0100 Subject: [PATCH 4/8] Update modules/administration-guide/pages/configuring-advanced-authorization.adoc Co-authored-by: Jana Vrbkova --- .../pages/configuring-advanced-authorization.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/configuring-advanced-authorization.adoc b/modules/administration-guide/pages/configuring-advanced-authorization.adoc index 39638476bf..462e21c948 100644 --- a/modules/administration-guide/pages/configuring-advanced-authorization.adoc +++ b/modules/administration-guide/pages/configuring-advanced-authorization.adoc @@ -38,7 +38,7 @@ spec: <4> List of groups of users denied to access {prod} (for {ocp} only). + To allow a user to access {prod-short}, add them to the `allowUsers` list. Alternatively, choose a group the user is a member of and add the group to the `allowGroups` list. -To deny a user to access {prod-short}, add him to the `denyUsers` list or a group where he is member of to `denyGroups` list. +To deny a user access to {prod-short}, add them to the `denyUsers` list. Alternatively, choose a group the user is a member of and add the group to the `denyGroups` list. If the user is on both `allow` and `deny` lists, they are denied access to {prod-short}. + If `allowUsers` and `allowGroups` are empty, then all users are allowed to access {prod-short} except ones from `deny` lists. From 4c036b6ff0fea7f697672e632b407648ae03192b Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Fri, 1 Dec 2023 15:35:44 +0100 Subject: [PATCH 5/8] Update modules/administration-guide/pages/configuring-advanced-authorization.adoc Co-authored-by: Jana Vrbkova --- .../pages/configuring-advanced-authorization.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/configuring-advanced-authorization.adoc b/modules/administration-guide/pages/configuring-advanced-authorization.adoc index 462e21c948..0aad2240b8 100644 --- a/modules/administration-guide/pages/configuring-advanced-authorization.adoc +++ b/modules/administration-guide/pages/configuring-advanced-authorization.adoc @@ -41,7 +41,7 @@ To allow a user to access {prod-short}, add them to the `allowUsers` list. Alter To deny a user access to {prod-short}, add them to the `denyUsers` list. Alternatively, choose a group the user is a member of and add the group to the `denyGroups` list. If the user is on both `allow` and `deny` lists, they are denied access to {prod-short}. + -If `allowUsers` and `allowGroups` are empty, then all users are allowed to access {prod-short} except ones from `deny` lists. +If `allowUsers` and `allowGroups` are empty, all users are allowed to access {prod-short} except the ones on the `deny` lists. if `denyUsers` and `denyGroups` are empty, then only users from `allow` lists are allowed to access {prod-short}. + If `allow` and `deny` lists are empty, then all users are allowed to access {prod-short}. From 9eba57a9c6a52e57456ca9768b3948c6e8a0b9ef Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Fri, 1 Dec 2023 15:35:48 +0100 Subject: [PATCH 6/8] Update modules/administration-guide/pages/configuring-advanced-authorization.adoc Co-authored-by: Jana Vrbkova --- .../pages/configuring-advanced-authorization.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/configuring-advanced-authorization.adoc b/modules/administration-guide/pages/configuring-advanced-authorization.adoc index 0aad2240b8..52d8991fc6 100644 --- a/modules/administration-guide/pages/configuring-advanced-authorization.adoc +++ b/modules/administration-guide/pages/configuring-advanced-authorization.adoc @@ -42,7 +42,7 @@ To deny a user access to {prod-short}, add them to the `denyUsers` list. Alterna If the user is on both `allow` and `deny` lists, they are denied access to {prod-short}. + If `allowUsers` and `allowGroups` are empty, all users are allowed to access {prod-short} except the ones on the `deny` lists. -if `denyUsers` and `denyGroups` are empty, then only users from `allow` lists are allowed to access {prod-short}. +If `denyUsers` and `denyGroups` are empty, only the users from `allow` lists are allowed to access {prod-short}. + If `allow` and `deny` lists are empty, then all users are allowed to access {prod-short}. From 223c1b24409dcfea8d4ee2300f111745d096eee1 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Fri, 1 Dec 2023 15:35:53 +0100 Subject: [PATCH 7/8] Update modules/administration-guide/pages/configuring-advanced-authorization.adoc Co-authored-by: Jana Vrbkova --- .../pages/configuring-advanced-authorization.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/configuring-advanced-authorization.adoc b/modules/administration-guide/pages/configuring-advanced-authorization.adoc index 52d8991fc6..58a544dfd5 100644 --- a/modules/administration-guide/pages/configuring-advanced-authorization.adoc +++ b/modules/administration-guide/pages/configuring-advanced-authorization.adoc @@ -44,6 +44,6 @@ If the user is on both `allow` and `deny` lists, they are denied access to {prod If `allowUsers` and `allowGroups` are empty, all users are allowed to access {prod-short} except the ones on the `deny` lists. If `denyUsers` and `denyGroups` are empty, only the users from `allow` lists are allowed to access {prod-short}. + -If `allow` and `deny` lists are empty, then all users are allowed to access {prod-short}. +If both `allow` and `deny` lists are empty, all users are allowed to access {prod-short}. . Wait for the rollout of the {prod-short} server components to be completed. From 33bb9c3746e96f4ca5dd439e4d7abb2b2c9c14e6 Mon Sep 17 00:00:00 2001 From: Jana Vrbkova Date: Mon, 4 Dec 2023 13:22:56 +0100 Subject: [PATCH 8/8] file edited --- .../pages/configuring-advanced-authorization.adoc | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/modules/administration-guide/pages/configuring-advanced-authorization.adoc b/modules/administration-guide/pages/configuring-advanced-authorization.adoc index 58a544dfd5..410e37d516 100644 --- a/modules/administration-guide/pages/configuring-advanced-authorization.adoc +++ b/modules/administration-guide/pages/configuring-advanced-authorization.adoc @@ -37,13 +37,18 @@ spec: <3> List of users denied access to {prod}. <4> List of groups of users denied to access {prod} (for {ocp} only). + +. Wait for the rollout of the {prod-short} server components to be completed. + +[NOTE] +==== + To allow a user to access {prod-short}, add them to the `allowUsers` list. Alternatively, choose a group the user is a member of and add the group to the `allowGroups` list. To deny a user access to {prod-short}, add them to the `denyUsers` list. Alternatively, choose a group the user is a member of and add the group to the `denyGroups` list. If the user is on both `allow` and `deny` lists, they are denied access to {prod-short}. -+ + If `allowUsers` and `allowGroups` are empty, all users are allowed to access {prod-short} except the ones on the `deny` lists. If `denyUsers` and `denyGroups` are empty, only the users from `allow` lists are allowed to access {prod-short}. -+ + If both `allow` and `deny` lists are empty, all users are allowed to access {prod-short}. -. Wait for the rollout of the {prod-short} server components to be completed. +====