From 97dd7880e4752db12d140f4d8e692d0d27c95f19 Mon Sep 17 00:00:00 2001 From: Aditya Thebe Date: Wed, 2 Oct 2024 14:22:48 +0545 Subject: [PATCH] docs: RBAC, identity mapper schema, identity schema --- .../docs/installation/_properties.mdx | 2 + .../_properties_identity_mapper.mdx | 82 ++++++++++++++++ .../docs/installation/self-hosted/oidc.mdx | 4 +- .../docs/reference/helm/mission-control.mdx | 96 +++++++++---------- mission-control/docs/reference/index.mdx | 6 +- mission-control/docs/reference/rbac.mdx | 18 ++++ 6 files changed, 153 insertions(+), 55 deletions(-) create mode 100644 mission-control/docs/installation/_properties_identity_mapper.mdx create mode 100644 mission-control/docs/reference/rbac.mdx diff --git a/mission-control/docs/installation/_properties.mdx b/mission-control/docs/installation/_properties.mdx index 8b71d519..0ba90936 100644 --- a/mission-control/docs/installation/_properties.mdx +++ b/mission-control/docs/installation/_properties.mdx @@ -4,6 +4,7 @@ import MissionControl from './_properties_mission_control.mdx' import Db from './_properties_db.mdx' import Agent from './_agent_properties.mdx' import Ingress from './_properties_ingress.mdx' +import IdentityMapper from './_properties_identity_mapper.mdx' {(!props.section || props.section == "mission-control") && } {( props.section == "agent") && } @@ -11,3 +12,4 @@ import Ingress from './_properties_ingress.mdx' {(!props.section || props.section == "db") && } {(!props.section || props.section == "auth") && } {(!props.section || props.section == "agent" || props.section == "security") && } +{(!props.section && props.section != "agent") && } diff --git a/mission-control/docs/installation/_properties_identity_mapper.mdx b/mission-control/docs/installation/_properties_identity_mapper.mdx new file mode 100644 index 00000000..29936bea --- /dev/null +++ b/mission-control/docs/installation/_properties_identity_mapper.mdx @@ -0,0 +1,82 @@ +### Identity Mapper + +The schema for the object to be returned by the identity mapper script. + + + + +#### Kratos Identity + + + +#### Kratos Identity Trait + + \ No newline at end of file diff --git a/mission-control/docs/installation/self-hosted/oidc.mdx b/mission-control/docs/installation/self-hosted/oidc.mdx index 3445ff1b..6a8ff9ca 100644 --- a/mission-control/docs/installation/self-hosted/oidc.mdx +++ b/mission-control/docs/installation/self-hosted/oidc.mdx @@ -72,7 +72,7 @@ See [Providers](https://www.ory.sh/docs/kratos/social-signin/overview) more deta

5. Optionally, create a cel expression to map identities from the OIDC provider to a mission control role & team. - _Example_: the following script maps all Azure users in the "SRE" group to the "admin" role & everyone else to a "viewer" role. + The following script maps all Azure users in the `SRE` group to the `admin` role and everyone else to the `viewer` role. ```yaml apiVersion: v1 @@ -87,7 +87,7 @@ See [Providers](https://www.ory.sh/docs/kratos/social-signin/overview) more deta ```

- The cel expression is expected to return an object with a `role` & a `teams[]` fields. + See [Identity Mapper Schema](/reference/helm/mission-control#identity-mapper) & [RBAC](/reference/rbac) 6. Supply the identity mapper script to mission control. diff --git a/mission-control/docs/reference/helm/mission-control.mdx b/mission-control/docs/reference/helm/mission-control.mdx index 327dadf1..707bfa26 100644 --- a/mission-control/docs/reference/helm/mission-control.mdx +++ b/mission-control/docs/reference/helm/mission-control.mdx @@ -1,59 +1,59 @@ --- title: Mission Control --- -import Properties from '@site/docs/installation/_properties.mdx' - +import Properties from '@site/docs/installation/_properties.mdx' export const toc = [ - { - value: "Mission Control", - id: "mission-control", - level: 2, - }, - { - value: "Canary Checker", - id: "canary-checker", - level: 3, - }, - { - value: "Config DB", - id: "config-db", - level: 3, - }, - { - value: "Authentication", - id: "authentication", - level: 2, - }, - - { - value: "Ingress", - id: "ingress", - level:2, - }, - { - value: "Database", - id: "database", - level: 2, - }, - { - value: "Custom postgres.conf", - id: "updating-postgresconf-settings", - level: 3, - }, - { - value: "Using an External DB", - id: "using-an-external-database", - level: 3, - }, - - - - - + { + value: 'Mission Control', + id: 'mission-control', + level: 2, + }, + { + value: 'Canary Checker', + id: 'canary-checker', + level: 3, + }, + { + value: 'Config DB', + id: 'config-db', + level: 3, + }, + { + value: 'Authentication', + id: 'authentication', + level: 2, + }, + + { + value: 'Ingress', + id: 'ingress', + level: 2, + }, + { + value: 'Database', + id: 'database', + level: 2, + }, + { + value: 'Custom postgres.conf', + id: 'updating-postgresconf-settings', + level: 3, + }, + { + value: 'Using an External DB', + id: 'using-an-external-database', + level: 3, + }, + { + value: 'Identity Mapper', + id: 'identity-mapper', + level: 2, + }, ] + ## Mission Control diff --git a/mission-control/docs/reference/index.mdx b/mission-control/docs/reference/index.mdx index b54b0307..ae60de14 100644 --- a/mission-control/docs/reference/index.mdx +++ b/mission-control/docs/reference/index.mdx @@ -1,9 +1,5 @@ --- title: Reference slug: /reference +sidebar_position: 0 --- - -{/* -import DocCardList from '@theme/DocCardList'; - - */} diff --git a/mission-control/docs/reference/rbac.mdx b/mission-control/docs/reference/rbac.mdx new file mode 100644 index 00000000..b8144e16 --- /dev/null +++ b/mission-control/docs/reference/rbac.mdx @@ -0,0 +1,18 @@ +--- +title: RBAC +sidebar_position: 10 +--- + +Mission control heavily uses RBAC to manage access control and permissions within the system. In our system, we have defined the following roles: + +## Admin + +The admin role has full access to all features and functionalities of the system. + +## Editor + +The editor role has various read-write privileges apart from few highly privileged actions like user management, agent management, connection management, etc ... + +## Viewer + +The viewer role has read-only access to the system \ No newline at end of file