How to create a read-only user with RBAC
What is RBAC?
Role-based access control (RBAC) is Sensu’s local user management system. RBAC currently supports the management of users and permissions with namespaces, roles, users, and role bindings.
Why use RBAC?
RBAC allows you to exercise fine-grained control over how Sensu users interact with Sensu resources. Using RBAC rules, you can easily achieve multitenancy so different projects and teams can share a Sensu instance.
How to create a read-only user
By default, Sensu includes a default
namespace and an admin
user with full permissions to create, modify, and delete resources within Sensu.
Using sensuctl configured as the default admin
user, you can create new roles for users that give as much or as little access as you see fit.
In this section, you’ll create a user with read-only access to resources within the default
namespace.
Sensu includes a default read-only role called view
that you can use to create a read-only user.
Create a user with the username
alice
:sensuctl user create alice --password 'password'
Create a
read-only-user
role binding to assign theview
role to thealice
user:sensuctl role-binding create read-only-user --cluster-role=view --user=alice
How to create an event-reader user
Now let’s say you want to create a user that has read-only access to only events within the default
namespace.
Since this user needs different permissions from those provided by the default view
role, you’ll need to create a role before creating the user and role binding.
Create an
event-reader
role withget
andlist
permissions forevents
within thedefault
namespace:sensuctl role create event-reader --verb get,list --resource events --namespace default
Create a user with the username
bob
:sensuctl user create bob --password 'password'
Create an
event-reader-binding
role binding to assign theevent-reader
role to thebob
user:sensuctl role-binding create event-reader-binding --role=event-reader --user=bob
Next steps
You now know how to create a role, create a user, and create a role binding to assign a role to a user. From this point, here are some recommended resources:
- Read the RBAC reference for in-depth documentation on role-based access control and information about cluster-wide permissions.