Permission
In Mission Control, Permission provides a flexible and robust security model that combines two powerful approaches: Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC). This unified permission system allows you to implement precise and granular access policies. For instance, while RBAC can control whether a user can execute any playbooks in the system, more refined ABAC policies allow you to specify exactly which playbooks specific users or teams can access.
Permissions are manageable via the UI as well as via CRDs.
permission.yaml---
# yaml-language-server: $schema=../../config/schemas/permission.schema.json
apiVersion: mission-control.flanksource.com/v1
kind: Permission
metadata:
name: allow-user-playbook-run
spec:
description: |
allow user john to run any playbook but only on configs in `mission-control` namespace
subject:
person: john@doe.com
actions:
- playbook:*
object:
playbooks:
- name: "*" # this is a wildcard selector that matches any playbook
configs:
- namespace: mission-control
A Permission consists of 4 components
- Subject: the entity requesting access (person, team, or a service)
- Object: Target resources this permission applies to (playbooks, configs, or components)
- Effect: Whether to allow or deny access (Default: allow)
- Actions: Concerned list of actions
Deny rules always take precedence over Allow rules
CRD
| Field | Description | Scheme |
|---|---|---|
actions* | List of allowed actions | |
deny | Whether this is a deny rule. (Default: False) |
|
description | Description of the permission |
|
object.components | List of component resource selectors | |
object.configs | List of config resource selectors | |
object.playbooks | List of playbook resource selectors | |
subject.notification |
|
|
subject.person | Email or ID of the person |
|
subject.team | Name or ID of the team |
|
Additionally, for tag-agent based ABAC, these fields are also available.
| Field | Description | Scheme |
|---|---|---|
agents | List of agents | |
tags | Key-value pairs of tags |
Permission Groups
Permission Groups allow you to organize subjects (people, teams, or notifications) under a common label for easier permission management. Permissions applied to the group are then inherited by the encompassed subjects.
CRD
permission.yaml---
# yaml-language-server: $schema=../../config/schemas/permission.schema.json
apiVersion: mission-control.flanksource.com/v1
kind: Permission
metadata:
name: allow-config-notifications-to-run-playbook
spec:
description: allow config notifications to run playbook
subject:
notification: config-notifications
actions:
- playbook:run
- playbook:approve
object:
playbooks:
- name: echo-config
---
# yaml-language-server: $schema=../../config/schemas/permissiongroup.schema.json
apiVersion: mission-control.flanksource.com/v1
kind: PermissionGroup
metadata:
name: config-notifications
spec:
name: config-notifications
notifications:
- name: check-alerts
namespace: mc
- name: homelab-config-health-alerts
namespace: mc
| Field | Description | Scheme |
|---|---|---|
name* | Set a unique name for the permission group |
|
notifications | List of notification | |
people | List of people identifiers (email or id) to associate with the group | |
teams | List of team names to associate with the group |