dataplaneapi icon indicating copy to clipboard operation
dataplaneapi copied to clipboard

Published 20 hours ago verified publisher icon haproxytech

Access control per resource

Open CRCinAU opened this issue 6 years ago • 5 comments

This is a feature request.

It would be nice if we are able to restrict the permissions of users to be able to configure certain elements within haproxy via the API.

For instance, user 'deployment' could add servers to various backends (specified by backend name), but not be allowed to modify other backends or frontend configurations.

This allows for environments that have multiple resources to use specific username / password combinations to affect each projects haproxy configuration resource without allowing complete control over haproxy.

CRCinAU avatar Jul 15 '19 02:07 CRCinAU

Hi, we are looking for a way to add various ACLs for users, but we are limited with no database, only resource we have is the config file, and we are currently using userlist section to manage users. We were thinking on adding two groups to start: read-only and admin, but we are still looking for ways to manage this. Let's keep the discussion alive here to get to best possible solutions.

mjuraga avatar Jul 15 '19 11:07 mjuraga

As a small stepping stone, maybe a simple ACL along the lines of: bind, frontend, backend, servers, acl

Each element listed against a user could restrict to only configuring those elements - ie

  • servers can only add / modify / delete servers to existing backends.
  • backend can add / modify / delete servers + backends.
  • frontend can edit frontend options
  • bind can change / edit config of ports etc.
  • acl can add / change ACL's listed.

This would give basic flexibility to allow deployments to add backends, but not change SSL certs or frontend configuration.

My specific scenario is that a user could add / remove servers from existing backends - but not modify the backends themselves. This allows either a higher priv user to create a backend (or done manually with a reload) and then automated deployments can populate backends with servers.

CRCinAU avatar Jul 15 '19 15:07 CRCinAU

We would need to have those groups hardcoded in userlists, this seems like a nice idea, but I would keep it simple, and make them as HAProxy configuration sections only (so backend, frontend, default, global, etc...)

mjuraga avatar Jul 15 '19 16:07 mjuraga

I'm kinda ok with that - as it would stop the problem of deployment scripts (or people who find those details) from altering parts of the haproxy config that you wouldn't really want them to. That's the whole idea.

CRCinAU avatar Jul 16 '19 03:07 CRCinAU

Has there been any update on this?

titansmc avatar Jul 01 '20 11:07 titansmc