Updated on 2022-10-14 GMT+08:00

Permissions Templates

A permission template is a collection of predefined permissions and supports fine-grained authorization at the resource level. You can use a permission template to quickly grant operation permissions to different permission policies. Currently, UCS provides three default permission templates:

  • Admin Permission Template: has the operation permission on all cluster resources, including cluster permission management.
  • Developer Permission Template: has the read and write permissions on most resources (such as Deployments, Pods, Secrets, Ingresses, and ConfigMaps) in all namespaces, and has the read-only permission on nodes, storage volumes, namespaces, and quota management. Cluster permission management is not included.
  • ReadOnly Permission Template: has the read-only permission on all resources.

Default Rights Profile

Table 1 lists the common operation rights in the default template.

Table 1 Operations on the Default Rights Profile

Operation

Admin Permission Template

Developer Permission Template

ReadOnly Permission Template

Querying Peer Information

Managing Cluster Nodes

×

×

Managing Namespaces (Creating, Deleting, and Managing Quotas)

×

×

Querying a Namespace

Managing workload lifecycles (creation, upgrade, scaling, and deletion)

×

Viewing workload details

Storage volume creation and deletion

×

×

Querying Storage Volumes

Service creation, update, and deletion

×

Reading a Service

Creating, Updating, and Deleting Ingresses

×

Reading an Ingress

Creating, Updating, and Deleting ConfigMaps

×

Query ConfigMaps

Creating or deleting a secret

×

Querying a secret key

Adding a Template

UCS provides the function of customizing permission templates to help users quickly set permission policies.

  1. Log in to the UCS console. In the navigation pane, choose Permission Policies.
  2. Click Add Template, as shown in Figure 1.

    Figure 1 Adding a template

  3. Enter the template information, as shown in Figure 2.

    Figure 2 Entering information in the template
    • Mode: Custom and Use existing are supported. If you select Use existing, you can select an existing template and modify the permission rule configuration of the template.
    • Template Name: indicates the name of a user-defined template. The name must start with a lowercase letter and consist of lowercase letters, digits, and hyphens (-). It cannot end with a hyphen (-).
    • Permission Rule: You can click to add multiple operation configurations.
      • Available Operations: Select the operations that can be performed by the user. You can select multiple operations.
        • *: All operations
        • get: Retrieves a specific resource object by name.
        • list: Retrieves all resource objects of a specific type in the namespace. You can use the selector to query matched resources.
        • watch: used to respond to resource changes.
        • create: creates a resource.
        • update: updates resources.
        • patch: used for partial update of resources.
        • delete: Delete a resource.
      • Specify Namespace: Select the namespaces that can be operated by the user with the permission policy. You can select multiple namespaces.
      • Specified Resources: Select cluster resources that can be operated by users with the permission policy. You can select multiple resources. For details about resource types, see Table 2.
    • Description: Add the description of the right profile.

  4. Click Confirm to create a right profile.