Role based access controls to CA
This is related to support RT#15938 and GL #1120.
Along with providing a mechanism for authentication on the CA interface (from Kea, not requiring the reverse proxy - #1120), we have a request for role-based access controls.
I think the best way to implement this flexibly, is to have a set of access permissions, and a set of roles, and let the kea administrator configure which permissions map to those roles. Then when they define a user, they assign a role. Below is one specific request, but other users may want something slightly different.
We need a design document to discuss/agree on how granular this needs to be, and also how to integrate these permissions with Stork permissions.
customer request: the list of default roles would look like this:
- admin role - all RW access, just like it is today.
- superuser role - RW access to all DHCP API operations with exception of CB config, not even read-only access to things like mysql user/password or server.
- operator - RW access to lease and HRs manipulative APIs and full read-only access (again, except for CB data).
- viewer - RO access strictly to DHCP APIs, not CB data.