Bare Metal Orchestrator uses an identity provider that supports OAuth 2.0 and OpenID Connect (OIDC) for user authentication.
As part of the authentication process, a token is generated for each user. Only after the token is validated, can a user be authorized to perform any task.
For user authorization, Role Based Access Control (RBAC) in Bare Metal Orchestrator lets you securely manage user access by assigning permissions that are based on the role of the user. The roles have clearly defined permissions that determine the level of access to configure the cluster, manage tenants and users, and view cluster data.
You assign the user a role when you create their user account using the Command Line Interface (CLI). A kubeconfig file is generated when you create the role-based user account and it contains a secure token. Save this file and use it when required for authentication. A kubeconfig file is generated for a single user.
Each user needs a copy of their generated kubeconfig file to authenticate when using a local copy of the CLI as a remote client. If the kubeconfig file is lost, you can create another kubeconfig file. For more information, see Create kubeconfig file on demand. Only a user with admin privileges can create a user.
For information about the first IAM admin user created during installation, how to log in to the CLI for the first time, and to use the CLI as a remote client, see Access and accounts.
You can perform the following operations:
- Generate a token.
- Create, view, edit, delete, enable, and disable a user.
- Change user password.
- Create kubeconfig file on demand.
- Update kubeconfig file.
- View and describe roles.
Roles
The following table describes the available user roles and the assigned permissions for each role.
Role | Permissions |
Global Admin | Read and write privileges on all Bare Metal Orchestrator resources across all tenants, clusters, pods, servers, sites, hardware profiles, and so on. Can create, edit, and delete users. Can assign and edit user roles. Cannot create, edit, or delete clusters. |
Support Admin | Can perform backup and restore operations. Can put Bare Metal Orchestrator in Maintenance mode. |
Operator | Read and write privileges on all Bare Metal Orchestrator resources this user can access across the cluster. |
Global Reader | Read-only access on all Bare Metal Orchestrator resources across all tenants, clusters, pods, servers, sites, hardware profiles, and so on. |
Note: If a user is assigned multiple roles, the role with highest privileges is applied. |
Example user profile files used to create user accounts
Before generating the kubeconfig file for role-based authentication, you must create a user YAML file that defines the user role. You can see a sample user file in the samples/user-profile directory. For information about the attributes in the user YAML file, see User field definitions.
The following example Bob.yaml user file is used to create a user account and generate the kubeconfig file for Bob with the Global Reader role.
username: bob
password: password123
displayName: Bob
active: true
groups:
- value: global-reader
emails:
- value: bob@dell.com
The following example Kyle.yaml user file is used to create a user account and generate the kubeconfig file for Kyle with the Global Admin role.
username: kyle
password: password123
displayName: Kyle
active: true
groups:
- value: global-admin
emails:
- value: kyle@dell.com