Authorization

Authorization is a critical component within the Authentication & Authorization feature set of Application Manager.

Introduction

Application Manager implements authorization using Role Based Access Control (RBAC). Roles are managed with Role, ClusterRole, RoleBinding, and ClusterRoleBinding resources. These may look familiar to you if you’ve used Kubernetes before.

Similar to authentication, authorization is disabled by default, and must be explicitly enabled in the configuration:

auth:
 authorization: rbac

rbac:
  # Optional set of admin users for bootstrapping
  adminUsers:
  - user@email.com

Bootstrapping

For bootstrapping, you have the option to provide a set of admin users in auth.rbac.adminUsers that have cluster-wide access to all resources.

The corresponding ClusterRole and ClusterRoleBinding are reset to the provided users on every startup of Application Manager. This results in all manual modifications that happen between application manager restarts to be lost.

If you don’t want to bootstrap any admin users, you can omit this configuration setting.

Default Permissions

By default, Application Manager will grant access to any authenticated user to fully access the following API resources:

  • /api/v1/deployment-targets
  • /api/v1/status
  • /api/v1/namespaces/default/deployments
  • /api/v1/namespaces/default/events
  • /api/v1/namespaces/default/jobs
  • /api/v1/namespaces/default/savepoints
  • /api/v1/namespaces/default/secret-values

Additionally, any authenticated user has full access to the following non-API resources by default:

  • web-ui

The non-API resource web-ui comprises the full web user interface, including Swagger and proxies to Flink, Grafana, and Kibana.

These permissions only created once and should be modified as required by your setup. The corresponding role resources are named bootstrap-default:

  • /api/v1/cluster-roles/bootstrap-default
  • /api/v1/cluster-role-bindings/bootstrap-default
  • /api/v1/namespaces/default/roles/bootstrap-default
  • /api/v1/namespaces/default/role-bindings/bootstrap-default