Grants vs RBAC model comparison: Linodes example (Limited availability)
The document depicts how legacy grants and RBAC roles and permissions are defined and applied to the Linode API endpoints for Linodes and how their behavior contrasts with one another.
Identity and Access in Limited Availability
The enablement of Identity and Access to all Cloud users will be done in stages. If you don't see Identity and Access (Beta) in Cloud Manager, it means that the feature is not enabled on your account and you should continue using the Grant-based access control to authorize operations on entities.
In this example, you'll see how the jsmith user access changes:
- The user can view a specific Linode.
- The user can modify the Linode.
- The user becomes the administrator for the Linode.
- The user can create new Linodes.
- The user can manage the whole account.
1. A user needs access to view a Linode
Objective
- A restricted user
jsmithin an account needs to have the read access to view a singlelinode123Linode; no modifications allowed. jsmithcan't have any billing permissionjsmithcan't be allowed to add entities.jsmithcan modify their own profile.
Prerequsites
- The
jsmithuser is created in the account. - Upon provisioning,
jsmithis assigned the following RBAC roles by default:account_oauth_client_adminaccount_event_vieweraccount_notification_vieweraccount_maintenance_viewer
Caveats:
The following endpoints are Internet facing and require no access token; therefore there is no access control:
Setup comparison
| Grant setup | RBAC setup |
|---|---|
|
|
Permission comparison for Linode API
| Allowed Linode API operations | Grant system: Triggered grant | RBAC system: Triggered permission |
|---|---|---|
| Current Linode access settings | Read Only access to the linode123 Linode. | linode_viewer role for the linode123 Linode. |
| List Linodes | Read Only on the linode123 Linode (linode123 is the only Linode jsmith gets) | view_linode for the linode123 Linode (linode123 is the only Linode jsmith gets) |
| Get a Linode | Read Only on Linode | view_linode |
| Additional activity | An unrestricted user triggers a backup or snapshot of the linode123 Linode. This makesjsmith able to view the Linode backup data. | A user with account_admin,linode_admin, or linode_contributor role triggers a backup or snapshot of the linode123 Linode. This makes jsmith able to view the Linode backup data. |
| List backups | Read Only on Linode | - view_linode- view_linode_backup |
| Get a backup | Read Only on Linode | - view_linode- view_linode_backup |
| Additional activity | jsmith can view configuration profile data. | jsmith can view configuration profile data. |
| List configuration profiles | Read Only on Linode | - view_linode- view_linode_config_profile |
| Get a configuration profile | Read Only on Linode | - view_linode- view_linode_config_profile |
| Additional activity | jsmith can view interfaces in the configuration profile. | jsmith can view interfaces in the configuration profile. |
| List configuration profile interfaces | Read Only on Linode | - view_linode- view_linode_config_profile_interface |
| Get a configuration profile interface | Read Only on Linode | - view_linode- view_linode_config_profile_interface |
| Additional activity | jsmith can view disks on the linode123 Linode. | jsmith can view disks on the linode123 Linode. |
| List disks | Read Only on Linode | - view_linode- view_linode_disk |
| Get a disk | Read Only on Linode | - view_linode- view_linode_disk |
| Additional activity | jsmith can view stats and network transfer stats on the linode123 Linode. | jsmith can view stats and network transfer stats on the linode123 Linode. |
| Get Linode statistics | Read Only on Linode | view_linode_stats |
| Get monthly statistics | Read Only on Linode | view_linode_stats |
| Get a network transfer | Read Only on Linode | view_linode_network_transfer |
| Get monthly network transfer stats | Read Only on Linode | view_linode_monthly_network_transfer_stats |
| Additional activity | - An unrestricted user attaches a volume1 volume to the Linode.- The unrestricted user grants jsmith Read Only access to the volume1 volume. | - A user with account_admin, account_volume_admin, volume_admin, or volume_contributor role attaches a volume1 volume to the linode123 Linode.- A user with the account_admin role assigns jsmith the volume_viewer role on the volume1 volume. |
| List a Linode's volumes | - Read Only on Linode - Read Only on the Volume. *Only linode123 and volume1 are returned. | - list_linode_volumes - view_volume *Only linode123 and volume1 are returned. |
| Additional activity | - An unrestricted user attaches the firewall2 firewall to the linode123 Linode.- The unrestricted user grants jsmith Read Only access to the firewall2 firewall. | - A user with firewall_contributor, firewall_admin, account_firewall_admin, account_admin, or linode_viewer role attaches the firewall2 firewall to the linode123 Linode. - A user with the account_admin role assigns jsmith the firewall_viewer role on the firewall2 volume. |
| List a Linode's firewalls | - Read Only on Linode - Read Only on Firewall. *Only linode123 and firewall2 are returned. | - list_linode_firewalls- view_firewall*Only linode123 and firewall2 are returned. |
2. The user needs access to modify the Linode
Objective
- The restricted user
jsmithneeds to be able to modify thelinode123Linode; but not to delete it. jsmithcan't have any billing permission.jsmithcan't be allowed to add entities.jsmithcan modify their own profile.
Setup comparison
| Grant setup | RBAC setup |
|---|---|
The grant system doesn't have specific permissions that control modification of Linode instances. | Instead of At this point,
|
Permission comparison for Linode API
| Allowed Linode API operations | Grant system: Triggered grant | RBAC system: Triggered permission |
|---|---|---|
| New Linode access settings | N/A | linode_contributor role for the linode123 Linode. |
| Update a Linode | N/A | update_linode |
| Boot a Linode | N/A | boot_linode |
| Clone a Linode | N/A | clone_linode |
| Launch a DC migration/pending host migration | N/A | migrate_linode |
| Upgrade a Linode | N/A | upgrade_linode |
| Reset a Linode's root password | N/A | password_reset_linode |
| Reboot a Linode | N/A | reboot_linode |
| Rebuild a Linode | N/A | rebuild_linode |
| Boot a Linode into rescue mode | N/A | rescue_linode |
| Resize a Linode | N/A | resize_linode |
| Shut down a Linode | N/A | shutdown_linode |
| Create a snapshot | N/A | create_linode_backup_snapshot |
| Enable backups | N/A | enable_linode_backups |
| Restore a backup | N/A | - restore_linode_backup - view_linode- update_linode for the destination Linode |
| Create a configuration profile | N/A | create_linode_config_profile |
| Update a configuration profile | N/A | - update_linode_config_profile - view_linode |
| Add a configuration profile interface | N/A | - create_linode_config_profile_interface - view_linode |
| Reorder configuration profile interfaces | N/A | - reorder_linode_config_profile_interfaces - view_linode |
| Update a configuration profile interface | N/A | - update_linode_config_profile_interface- view_linode_config_profile- view_linode |
| Create a disk | N/A | create_linode_disk |
| Update a disk | N/A | - update_linode_disk - view_linode |
| Clone a disk | N/A | - clone_linode_disk - view_linode |
| Reset a disk root password | N/A | - reset_linode_disk_root_password- view_linode |
| Resize a disk | N/A | - resize_linode_disk - view_linode |
| Update a Linode's firewalls | N/A | - update_linode_firewalls- view_firewall |
| Apply a Linode's firewalls | N/A | apply_linode_firewalls |
3. The user needs full access to the Linode
Objective
- The restricted user
jsmithneeds to have full access to thelinode123Linode. jsmithcan't have any billing permission.jsmithcan't be allowed to add entities.jsmithcan modify their own profile.
Setup comparison
| Grant setup | RBAC setup |
|---|---|
An unrestricted user grants Read Write access on the At this point,
| Instead of
|
Permission comparison for Linode API
| Allowed Linode API operations | Grant system: Triggered grant | RBAC system: Triggered permission |
|---|---|---|
| New Linode access settings | N/A | linode_admin role for the linode123 Linode. |
| Delete a Linode | Read-Write | delete_linode |
| Cancel backups | Read-Write | cancel_linode_backups |
| Delete a configuration profile | Read-Write | - delete_linode_config_profile- view_linode |
| Delete a configuration profile interface | Read-Write | -delete_linode_config_profile_interface - view_linode_config_profile - view_linode |
| Delete a disk | Read-Write | - delete_linode_disk - view_linode |
4. The user needs administrative access to the whole account
Objective
- The restricted user
jsmithhave administrative access to the whole account. jsmithany entity including Linode.jsmithhas all billing permissions.jsmithcan modify their own profile.
Setup comparison
| Grant setup | RBAC setup |
|---|---|
An unrestricted user grants
| A user with the
|
Permission comparison for Linode API
| Allowed Linode API operations | Grant system: Triggered grant | RBAC system: Triggered permission |
|---|---|---|
| New access settings | Full account access | All permissions at both the account level and with individual entities |
| List events | N/A | list_events |
| Get an event | N/A | view_event |
| Mark an event as seen | N/A | mark_event_seen |
| List available services | N/A | list_available_services |
| List service transfers | N/A | list_service_transfers |
| Get a region's service availability | N/A | view_region_available_service |
| List maintenances | N/A | list_maintenances |
| Get network usage | N/A | view_network_usage |
| List enrolled Beta programs | N/A | view_enrolled_beta_program |
| List notifications | N/A | list_notifications |
| List authorized apps | N/A | list_profile_apps |
| Get an authorized app | N/A | view_profile_app |
| List agreements | N/A | list_account_agreements |
| Get account settings | N/A | view_account_settings |
| Get a profile | N/A | view_profile |
| Get your account | N/A | view_account |
| Get a user | N/A | view_user |
| Get user preferences | N/A | view_user_preferences |
| List grants | N/A | list_profile_grants |
| List a user's grants | N/A | list_user_grants |
| List user logins | N/A | list_account_logins |
| List security questions | N/A | list_profile_security_questions |
| List trusted devices | N/A | list_profile_devices |
| Get a trusted device | N/A | view_profile_device |
| Get a profile's login | N/A | view_profile_login |
| List logins | N/A | list_profile_logins |
| Get an account login | N/A | view_account_login |
| List SSH keys | N/A | list_profile_ssh_keys |
| Get an SSH key | N/A | view_profile_ssh_key |
| List OAuth clients | N/A | list_oauth_clients |
| Get an OAuth client | N/A | view_oauth_client |
| List Linode NodeBalancers | Read Only on Linodes | list_linode_nodebalancers |
| Get monthly statistics | Read Only on Linodes | view_linode_monthly_stats |
| List invoices | Read Only billing access | list_billing_invoices |
| Get an invoice | Read Only billing access | view_billing_invoice |
| Get a payment method | Read Only billing access | view_payment_method |
| List payment methods | Read Only billing access | list_payment_methods |
| Get a payment | Read Only billing access | view_billing_payment |
| List invoice items | Read Only billing access | list_invoice_items |
| List payments | Read Only billing access | list_billing_payments |
| List firewall devices | Read Only on Firewalls | list_firewall_devices |
| Get a firewall | Read Only on Firewalls | view_firewall |
| Get a firewall device | Read Only on Firewalls | view_firewall_device |
| List firewall rule versions | Read Only on Firewalls | list_firewall_rule_versions |
| List default firewalls | Read Only on Firewalls | list_default_firewalls |
| List firewall rules | Read Only on Firewalls | list_firewall_rules |
| Get a firewall rule version | Read Only on Firewalls | view_firewall_rule_version |
Updated about 2 hours ago