brand changed
This commit is contained in:
govardhan
235
docs/cloud/3Engines-user-roles-on-3Engines-Cloud.html.md
Normal file
235
docs/cloud/3Engines-user-roles-on-3Engines-Cloud.html.md
Normal file
@ -0,0 +1,235 @@
|
||||
3Engines User Roles on 3Engines Cloud[🔗](#3Engines-user-roles-on-brand-name "Permalink to this headline")
|
||||
=============================================================================================================
|
||||
|
||||
A **user role** in 3Engines cloud is a set of permissions that govern how members of specific groups interact with system resources, their access scope, and capabilities.
|
||||
|
||||
This guide simplifies 3Engines roles for casual users of 3Engines Cloud VMs. It focuses on practical use cases and commonly required roles.
|
||||
|
||||
What We Are Going To Cover[🔗](#what-we-are-going-to-cover "Permalink to this headline")
|
||||
---------------------------------------------------------------------------------------
|
||||
|
||||
> * Frequently used user roles
|
||||
>
|
||||
> > * Common user roles
|
||||
> > * Roles for Kubernetes users
|
||||
> > * Roles for Load Balancer users
|
||||
>
|
||||
> * Examples of using user roles
|
||||
>
|
||||
> > * Using user roles while creating application credential in Horizon
|
||||
> > * Using user roles while creating application credential via the CLI
|
||||
> > * Using user roles while creating a new project
|
||||
> > * Using member role only while creating a new user
|
||||
>
|
||||
> * Dictionary of other roles
|
||||
|
||||
Prerequisites[🔗](#prerequisites "Permalink to this headline")
|
||||
-------------------------------------------------------------
|
||||
|
||||
**1. Account**
|
||||
|
||||
You need a 3Engines Cloud hosting account with Horizon access: <https://horizon.3Engines.com>.
|
||||
|
||||
Also see:
|
||||
|
||||
[What is an 3Engines project on 3Engines Cloud](What-is-an-3Engines-project-on-3Engines-Cloud.html.md)
|
||||
|
||||
[What is an 3Engines domain on 3Engines Cloud](What-is-an-3Engines-domain-on-3Engines-Cloud.html.md)
|
||||
|
||||
[How to generate or use Application Credentials via CLI on 3Engines Cloud](How-to-generate-or-use-Application-Credentials-via-CLI-on-3Engines-Cloud.html.md)
|
||||
|
||||
**2. Familiarity with 3Engines Commands**
|
||||
|
||||
Ensure you know the following 3Engines commands:
|
||||
|
||||
**3Engines**
|
||||
: The primary CLI for interacting with 3Engines services.
|
||||
[How to install 3EnginesClient for Linux on 3Engines Cloud](../3Enginescli/How-to-install-3EnginesClient-for-Linux-on-3Engines-Cloud.html.md)
|
||||
|
||||
**kubectl**
|
||||
: CLI for Kubernetes clusters. Example article:
|
||||
|
||||
[How To Access Kubernetes Cluster Post Deployment Using Kubectl On 3Engines Cloud 3Engines Magnum](../kubernetes/How-To-Access-Kubernetes-Cluster-Post-Deployment-Using-Kubectl-On-3Engines-Cloud-3Engines-Magnum.html.md)
|
||||
|
||||
Frequently used user roles[🔗](#frequently-used-user-roles "Permalink to this headline")
|
||||
---------------------------------------------------------------------------------------
|
||||
|
||||
### Common user roles[🔗](#common-user-roles "Permalink to this headline")
|
||||
|
||||
**member**
|
||||
: Grants standard access to project resources.
|
||||
|
||||
Note
|
||||
|
||||
Older 3Engines versions may use **\_member\_**. If both **member** and **\_member\_** exist, choose **member**.
|
||||
|
||||
* Horizon: **Project** -> **Overview**
|
||||
* CLI: **3Engines server list**, **3Engines project list**
|
||||
|
||||
**observer**
|
||||
: Read-only access for monitoring and auditing resources. Suitable for third-party tools like Prometheus or Grafana.
|
||||
|
||||
* Horizon: **Project** -> **Overview**
|
||||
* CLI: **3Engines server show**, **3Engines project show**
|
||||
|
||||
**reader**
|
||||
: Read-only access with slightly broader permissions than **observer**. Ideal for monitoring and analytics tools requiring detailed resource data.
|
||||
|
||||
* Horizon: **Project** -> **Overview**
|
||||
* CLI: **3Engines server list**, **3Engines project list**
|
||||
|
||||
### Roles for Kubernetes users[🔗](#roles-for-kubernetes-users "Permalink to this headline")
|
||||
|
||||
**k8s\_admin**
|
||||
: Administrative access to manage Kubernetes clusters and resources.
|
||||
|
||||
* Horizon: **Kubernetes** -> **Clusters**
|
||||
* CLI: **kubectl create deployment**, **kubectl get pods**
|
||||
|
||||
**k8s\_developer**
|
||||
: For developers deploying applications within Kubernetes.
|
||||
|
||||
* Horizon: **Kubernetes** -> **Workloads**
|
||||
* CLI: **kubectl create**, **kubectl apply**
|
||||
|
||||
**k8s\_viewer**
|
||||
: Read-only access to monitor Kubernetes resources.
|
||||
|
||||
* Horizon: **Kubernetes** -> **Overview**
|
||||
* CLI: **kubectl get pods**, **kubectl describe pod**
|
||||
|
||||
### Roles for Load Balancer users[🔗](#roles-for-load-balancer-users "Permalink to this headline")
|
||||
|
||||
**load-balancer\_member**
|
||||
: Grants access to deploy applications behind load balancers.
|
||||
|
||||
* Horizon: **Network** -> **Load Balancers**
|
||||
* CLI: **3Engines loadbalancer member create**, **3Engines loadbalancer member list**
|
||||
|
||||
**load-balancer\_observer**
|
||||
: Read-only access to monitor load balancer configurations.
|
||||
|
||||
* Horizon: **Network** -> **Load Balancers**
|
||||
* CLI: **3Engines loadbalancer show**, **3Engines loadbalancer stats show**
|
||||
|
||||
How to View Roles in Horizon[🔗](#how-to-view-roles-in-horizon "Permalink to this headline")
|
||||
-------------------------------------------------------------------------------------------
|
||||
|
||||
You can view roles in Horizon by navigating to **Identity** -> **Roles**.
|
||||
|
||||
| | |
|
||||
| --- | --- |
|
||||
| ../_images/user-roles-list-2.png | ../_images/user-roles-list-1.png |
|
||||
|
||||
Assigning multiple roles is best done during project creation rather than user creation.
|
||||
|
||||
|
||||
|
||||
Examples of using user roles[🔗](#examples-of-using-user-roles "Permalink to this headline")
|
||||
-------------------------------------------------------------------------------------------
|
||||
|
||||
The following articles, as one of many steps, describe how to assign a role to the new project, credential, user or group.
|
||||
|
||||
### Using user roles while creating application credential in Horizon[🔗](#using-user-roles-while-creating-application-credential-in-horizon "Permalink to this headline")
|
||||
|
||||
Normally, you access the cloud via user credentials, which may be one- or two-factor credentials. 3Engines provides a more direct procedure of gaining access to cloud with application credential and you can create a credential with several user roles.
|
||||
|
||||
That S3 article selects user roles when creating an application credential, through Horizon:
|
||||
|
||||
/s3/Create-S3-bucket-and-use-it-in-Sentinel-Hub-requests
|
||||
|
||||
|
||||
|
||||
### Using user roles while creating application credential via the CLI[🔗](#using-user-roles-while-creating-application-credential-via-the-cli "Permalink to this headline")
|
||||
|
||||
This is the main article about application credentials; it is mostly using CLI:
|
||||
|
||||
[How to generate or use Application Credentials via CLI on 3Engines Cloud](How-to-generate-or-use-Application-Credentials-via-CLI-on-3Engines-Cloud.html.md)
|
||||
|
||||
Here is how to specify user roles through CLI parameters:
|
||||
|
||||
|
||||
|
||||
### Using user roles while creating a new project[🔗](#using-user-roles-while-creating-a-new-project "Permalink to this headline")
|
||||
|
||||
In article [How to Create and Configure New 3Engines Project Through Horizon on 3Engines Cloud Cloud](../3Enginescli/How-To-Create-and-Configure-New-Project-on-3Engines-Cloud-Cloud.html.md) we use command **Project Members** to define which users to include into the project:
|
||||
|
||||
|
||||
|
||||
You would then continue by defining the roles for each user in the project:
|
||||
|
||||
|
||||
> See this Rancher article, [How to install Rancher RKE2 Kubernetes on 3Engines Cloud](../kubernetes/How-to-install-Rancher-RKE2-Kubernetes-on-3Engines-Cloud-cloud.html.md). Then, in Preparation step 1, a new project is created, with the following user roles:
|
||||
|
||||
* **load-balancer\_member**,
|
||||
* **member** and
|
||||
* **creator**.
|
||||
|
||||
|
||||
|
||||
### Using member role only while creating a new user[🔗](#using-member-role-only-while-creating-a-new-user "Permalink to this headline")
|
||||
|
||||
In SLURM article, we first create a new 3Engines Keystone user, with the role of **member**.
|
||||
|
||||
/cuttingedge/Sample-SLURM-Cluster-on-3Engines-Cloud-Cloud-with-ElastiCluster
|
||||
|
||||
|
||||
|
||||
That user can login to Horizon and use project resources together with other users which are defined in a similar way.
|
||||
|
||||
Dictionary of other roles[🔗](#dictionary-of-other-roles "Permalink to this headline")
|
||||
-------------------------------------------------------------------------------------
|
||||
|
||||
**admin**
|
||||
: Grants unrestricted access to all resources and configurations in the system. Typically reserved for superusers or administrators.
|
||||
|
||||
**project\_admin**
|
||||
: Provides administrative privileges within a specific project, allowing users to manage resources, members, and settings at the project level.
|
||||
|
||||
**network\_admin**
|
||||
: Focused on managing networking resources, including creating networks, subnets, and routers, as well as assigning IPs.
|
||||
|
||||
**storage\_admin**
|
||||
: Offers full control over storage resources, such as creating, modifying, and deleting volumes and snapshots.
|
||||
|
||||
**database\_admin**
|
||||
: Designed for managing database resources, including provisioning, scaling, and backup configurations.
|
||||
|
||||
**audit\_viewer**
|
||||
: A read-only role dedicated to viewing logs, system events, and audit trails for compliance and monitoring purposes.
|
||||
|
||||
**compute\_operator**
|
||||
: Allows management of compute resources, such as starting, stopping, and resizing virtual machines, but without administrative privileges.
|
||||
|
||||
**volume\_user**
|
||||
: Enables users to attach and detach volumes to/from instances and perform basic volume management tasks.
|
||||
|
||||
**image\_creator**
|
||||
: Provides permissions to upload, manage, and delete virtual machine images in the image repository.
|
||||
|
||||
**security\_group\_manager**
|
||||
: Focused on managing security groups and rules, including creating and updating firewall configurations.
|
||||
|
||||
**dns\_admin**
|
||||
: Grants administrative privileges over DNS zones, records, and configurations.
|
||||
|
||||
**keypair\_user**
|
||||
: A role for managing SSH key pairs used for authenticating access to virtual machines.
|
||||
|
||||
**heat\_stack\_owner**
|
||||
: Enables users to create and manage orchestration stacks using Heat templates, including scaling and updating stacks.
|
||||
|
||||
**backup\_admin**
|
||||
: Offers full control over backup operations, such as scheduling backups, restoring data, and managing backup repositories.
|
||||
|
||||
**report\_viewer**
|
||||
: A read-only role that provides access to reports and analytics dashboards without the ability to modify data.
|
||||
|
||||
**api\_user**
|
||||
: Designed for programmatic access to the system via APIs, allowing automation and integration tasks.
|
||||
|
||||
**support\_role**
|
||||
: A limited-access role for customer support agents, enabling them to troubleshoot issues without full system access.
|
||||
|
||||
**custom\_role (generic)**
|
||||
: Represents a user-defined role tailored for specific permissions or organizational policies. Refer to system administrators for details on its scope.
|
||||
Reference in New Issue
Block a user