The one place for your designs
To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.
Role based access controls to CA
This is related to support RT#15938 and GL #1120.
Along with providing a mechanism for authentication on the CA interface (from Kea, not requiring the reverse proxy - #1120), we have a request for role-based access controls.
I think the best way to implement this flexibly, is to have a set of access permissions, and a set of roles, and let the kea administrator configure which permissions map to those roles. Then when they define a user, they assign a role. Below is one specific request, but other users may want something slightly different.
We need a design document to discuss/agree on how granular this needs to be, and also how to integrate these permissions with Stork permissions.
customer request: the list of default roles would look like this:
- admin role - all RW access, just like it is today.
- superuser role - RW access to all DHCP API operations with exception of CB config, not even read-only access to things like mysql user/password or server.
- operator - RW access to lease and HRs manipulative APIs and full read-only access (again, except for CB data).
- viewer - RO access strictly to DHCP APIs, not CB data.