RoleBinding - YAML
Organization Admins can manage users in their organization and Project Owners can manage users in their projects through the sloctl
tool using a RoleBinding
.
Assumptions and Validations​
A single
RoleBinding
object allows the definition of the relation between exactly one user and exactly one role.For organization roles (e.g.,
organization-admin
,organization-viewer
,organization-user
), theprojectRef
field defined on thespec
level must be empty. Otherwise, an error is returned.For project roles (
project-owner
,project-editor
,project-viewer
,project-integrations-user
), theprojectRef
field defined on thespec
level cannot be empty.projectRef
must point to an existing project, orsloctl
will return an error.Only one project role can be defined for a given project for any given user (for example, it is impossible to be a
project-owner
and aproject-editor
of the same project).The system does not verify whether the user ID in the
user
field is valid or not. Any non-empty string is acceptable.Organization roles cannot be removed by any user. If a user tries to delete an organization-level role, an error is returned.
If a
RoleBinding
instance already exists for some user in a given context (project or organization), it is impossible to update the existing role binding for another user. In such an instance, an error is returned.If another
RoleBinding
for the user that is identified bySpec.UserID
already exists in the given context (project or role), an error is returned.The
roleRef
anduser
fields are required. TheprojectRef
field is optional, but if this field is not empty and points to a nonexisting project, an error is returned. The value in theroleRef
field must be an existing role name.
Applying Organization Role Bindings​
You can configure an organization-level RoleBinding
for a given user in sloctl
as shown here:
apiVersion: n9/v1alpha
kind: RoleBinding
metadata:
name: organization-admin-adam
spec:
roleRef: organization-admin # Existing organization role (since projectRef is empty)
user: 00u3ywkof3cTkMLOH4x7 # User ID from Okta, available in the UI in Settings > Users
note
The user ID for the user
field can be retrieved from Settings > Account and Settings > Users in the UI:
Applying Project Role Bindings​
You can configure a project-level RoleBinding
for a given user in sloctl
as shown here:
apiVersion: n9/v1alpha
kind: RoleBinding
metadata:
name: project-owner-adam # Must be a unique string, see notes below
spec:
projectRef: default # Must refer to an existing Project
roleRef: project-owner # Must be an existing Project role
user: 00u3ywkof3cTkMLOH4x7 # Okta User ID
Specifications for metadata[ ].name
:
- The name must follow conventions defined in DNS RFC 1123. Refer to YAML Guide for further details.
- If you create
RoleBinding
manually withsloctl
, you can put any valid string for the name. - The
name
must be unique in an Organization (for the Organization roles) or a Project (for the Project roles). RoleBinding
created withsloctl
is edited in Nobl9 UI. If you createproject-owner-adam
withsloctl
, this object will be available on the Settings > Users tab list in the UI. Then, you can edit theproject-owner-adam
object on the Users list.- If you configure a role in the UI first, it will generate a UUID for the name, and you need to get the
RoleBinding
throughsloctl
.
Validation Errors​
The following are common errors related to role binding that users may experience in sloctl
:
If a role does not exist in an organization context (if
projectRef
is not defined, and the system expects to find an organization-level role type), as in this example:apiVersion: n9/v1alpha
kind: RoleBinding
metadata:
name: organization-admin-adam
spec:
roleRef: not-existing-project-ref
user: 00u3ywkof3cTkMLOH4x7sloctl
returns the following error message:Error: Applying RoleBinding 'organization-admin-adam' failed because the object referenced in the field RoleRef 'not-existing-project-ref' could not be found in the given context (expected 'Organization' role type).
If a role does not exist in a project context (if
projectRef
is defined, and the system expects to find a project role type), as in this example:apiVersion: n9/v1alpha
kind: RoleBinding
metadata:
name: organization-admin-adam
spec:
projectRef: default
roleRef: organization-admin
user: 00u3ywkof3cTkMLOH4x7sloctl
returns the following error message:Error: Applying RoleBinding 'organization-admin-adam' failed because the object referenced in the field RoleRef 'organization-admin' could not be found in the given context (expected existing 'Project' role type).
If a
RoleBinding
already exists for another user, as in this example:---
apiVersion: n9/v1alpha
kind: RoleBinding
metadata:
name: organization-admin-adam
spec:
roleRef: organization-admin
user: 00u3ywkof3cTkMLOH4x7
---
apiVersion: n9/v1alpha
kind: RoleBinding
metadata:
name: organization-admin-adam
spec:
roleRef: organization-admin
user: 00u3ywkof3cTkMLOH4x8sloctl
returns the following error message:`Error: Validation failed because RoleBinding ('organization-admin-adam') already exists for another user in the given context.`
If a
RoleBinding
already exists for a given user in a given context, as in this case:---
apiVersion: n9/v1alpha
kind: RoleBinding
metadata:
name: project-owner-anna
spec:
projectRef: default
roleRef: project-owner
user: 00u3ywkof3cTkMLOH4x7
---
apiVersion: n9/v1alpha
kind: RoleBinding
metadata:
name: project-owner-anna-2
spec:
projectRef: default
roleRef: project-owner
user: 00u3ywkof3cTkMLOH4x7sloctl
returns the following error message:Error: Validation failed because another RoleBinding ('project-owner-anna-2') already exists for user 00u3ywkof3cTkMLOH4x7 in the given context.
If a user does not have permission to apply or delete role bindings in a project—for example, using a command like this:
Sloctl delete rolebinding project-editor-anna -p existing-project-ref
sloctl
returns the following error message:Error: The user does not have permission to delete the role-binding-project in project existing-project-ref.
If a user does not have permission to apply or delete role bindings in an organization—for example, with a command like the following:
Sloctl apply -f ./samples/roles/sample-role-binding.yaml
sloctl
returns the following error message:Error: The user does not have permissions to apply role-binding-organization in the organization some-organization-name.
If a user tries to delete a role binding from a project that does not exist, as shown here:
Sloctl delete rolebinding project-editor-anna -p not-existing-project-ref
sloctl
returns the following error message:Error: Project 'not-existing-project-ref' was not found.
If a user tries to delete an organization-level role binding:
Sloctl delete rolebinding organization-user-anna
sloctl
returns the following error message:Error: deleting organizational role bindings is not allowed