RoleBinding - YAML

Reading time: 0 minute(s) (0 words)

Organization Admins can manage users in their organization and Project Owners can manage users in their projects through the sloctl tool using a RoleBinding.

Assumptions and validations

• A single RoleBinding object allows the definition of the relation between exactly one user and exactly one role.

• For organization roles, the projectRef field defined on the spec level must be empty. Otherwise, an error is returned.

• New project and RoleBinding can be applied in one YAML file. However, if a roleBinding is applied to a project that doesn't exist on an organization level and the definition of the new project is not present in the yaml, sloctl will return an error (see below for details).

• Only one project role can be defined for a given project for any given user (for example, it is impossible to be a project-owner and a project-editor of the same project).

• The system does not verify whether the user ID in the user field is valid or not. Any non-empty string is acceptable.

• Organization roles cannot be removed by any user. If a user tries to delete an organization-level role, an error is returned.

• If a RoleBinding instance already exists for some user in a given context (project or organization), it is impossible to update the existing role binding for another user. In such an instance, an error is returned.

• If another RoleBinding for the user that is identified by spec.UserID already exists in the given context (project or role), an error is returned.

• The roleRef and user fields are required. The projectRef field is optional, but if this field is not empty and points to a nonexisting project, an error is returned. The value in the roleRef field must be an existing role name.

Direct role bindings

Applying organization role bindings

You can configure an organization-level RoleBinding for a given user in sloctl as shown here:

apiVersion: n9/v1alpha
kind: RoleBinding
metadata:
   name: organization-admin-adam
spec:
   roleRef: organization-admin # Existing organization role (since projectRef is empty)
   user: 00u3ywkof3cTkMLOH4x7 # User ID from Okta, available in the UI in Settings > Access Controls > Users

note

The user ID for the user field can be retrieved from Settings > Account and Settings > Access Controls in the UI:

Image 1: User ID for the user field

Applying project RoleBinding

You can configure a project-level RoleBinding for a given user in sloctl as shown in the snippet below:

General YAML sample for a project RoleBinding

apiVersion: n9/v1alpha
kind: RoleBinding
metadata:
    name: project-owner-adam # Must be a unique string, see notes below
spec:
    projectRef: default # Must refer to an existing Project
    roleRef: project-owner # Must be an existing Project role
    user: 00u3ywkof3cTkMLOH4x7 # Okta User ID

Field	Type	Description
metadata.name mandatory	string	Constraints: • The name must follow conventions defined in DNS RFC 1123. • If you create RoleBinding manually with sloctl, you can put any valid string for the name. • The name must be unique in an organization (for the Organization roles) or a project (for the Project roles). • RoleBinding created with sloctl is edited in Nobl9 UI. If you create project-owner-adam with sloctl, this object will be available on the Settings > Access Controls tab list in the UI. Then, you can edit the project-owner-adam object on the Users list. • If you configure a role in the UI first, it will generate a UUID for the name, and you need to get the RoleBinding through sloctl.
spec.projectRef optional	string	The project in which we want the user to assume the specified role.
spec.roleRef mandatory	string	The role you want the user to assume.
spec.user mandatory	string	An Okta User ID that can be retrieved from the Nobl9 UI (Settings > Access Controls).

You can create a new project and RoleBinding by applying one YAML file. Let's assume that the datadog-project doesn't exist in your organization. When you apply the following YAML file in sloctl:

Creating new project and Rolebinding

apiVersion: n9/v1alpha
kind: Project
metadata:
  name: datadog-project
spec:
  description: ""
---
apiVersion: n9/v1alpha
kind: RoleBinding
metadata:
  name: role-binding-name
spec:
  user: 00u3ywkof3cTkMLOH4x7
  roleRef: project-viewer
  projectRef: datadog-project

You will create both the datadog-project and a RoleBinding related to it.

Deleting role bindings

You can't delete RoleBinding object for the organizational level roles through the sloctl delete command.

To delete the project RoleBinding, specify the project (unless it is in the default project from active context). You can do this by adding a -p flag and specifying a project to which the RoleBinding is tied:

sloctl delete rolebindings <rolebinding_name> -p <project_name>

For more information, refer to sloctl user guide or run a sloctl delete rolebindings --help command in your terminal.

Group role bindings

Group role bindings for Organization Admins

You can configure a group-level RoleBinding for Organization Admins in sloctl as shown here:

Group-level RoleBinding for organization admins

apiVersion: n9/v1alpha
kind: RoleBinding
metadata:
  name: demo-admin-permissions
spec:
  groupRef: group-Q72HorLyjjCc
  roleRef: organization-admin

Group role bindings for users

You can configure a group-level RoleBinding for other users in your Organization in sloctl as shown here:

Group-level RoleBinding for users

apiVersion: n9/v1alpha
kind: RoleBinding
metadata:
  name: demo-default-viewer-permissions
spec:
  groupRef: group-JoelsIfCm5AJ
  roleRef: project-viewer
  projectRef: prometheus

Validation errors

The following are common errors related to role binding that users may experience in sloctl:

• If a role does not exist in an organization context (if projectRef is not defined, and the system expects to find an organization-level role type), as in this example:

  apiVersion: n9/v1alpha
  kind: RoleBinding
  metadata:
      name: organization-admin-adam
  spec:
     roleRef: not-existing-project-ref
     user: 00u3ywkof3cTkMLOH4x7

  sloctl returns the following error message:

  Error: Applying RoleBinding 'organization-admin-adam' failed because the object referenced in the field RoleRef 'not-existing-project-ref' could not be found in the given context (expected 'Organization' role type).

• If a role does not exist in a project context (if projectRef is defined, and the system expects to find a project role type), as in this example:

  apiVersion: n9/v1alpha
  kind: RoleBinding
  metadata:
      name: organization-admin-adam
  spec:
      projectRef: default
      roleRef: organization-admin
      user: 00u3ywkof3cTkMLOH4x7

  sloctl returns the following error message:

  Error: Applying RoleBinding 'organization-admin-adam' failed because the object referenced in the field RoleRef 'organization-admin' could not be found in the given context (expected existing 'Project' role type).

• If a RoleBinding already exists for another user, as in this example:

  ---
  apiVersion: n9/v1alpha
  kind: RoleBinding
  metadata:
      name: organization-admin-adam
  spec:
      roleRef: organization-admin
      user: 00u3ywkof3cTkMLOH4x7
  ---
  apiVersion: n9/v1alpha
  kind: RoleBinding
  metadata:
      name: organization-admin-adam
  spec:
      roleRef: organization-admin
      user: 00u3ywkof3cTkMLOH4x8

  sloctl returns the following error message:

  Error: Validation failed because RoleBinding ('organization-admin-adam') already exists for another user in the given context.

• If a RoleBinding already exists for a given user in a given context, as in this case:

  ---
  apiVersion: n9/v1alpha
  kind: RoleBinding
  metadata:
      name: project-owner-anna
  spec:
      projectRef: default
      roleRef: project-owner
      user: 00u3ywkof3cTkMLOH4x7
   ---
  apiVersion: n9/v1alpha
  kind: RoleBinding
  metadata:
          name: project-owner-anna-2
  spec:
      projectRef: default
      roleRef: project-owner
      user: 00u3ywkof3cTkMLOH4x7

  sloctl returns the following error message:

  Error: Validation failed because another RoleBinding ('project-owner-anna-2') already exists for user 00u3ywkof3cTkMLOH4x7 in the given context.

• If a project does not exist in an organization context and a user tries to apply YAML, as in the example below:

  - apiVersion: n9/v1alpha
  kind: RoleBinding
  metadata:
      name: project-editor-dans-gmail
  spec:
      user: 00u3ekkyumwqMRdwk417
      roleRef: organization-user
      projectRef: non-existing-project

  sloctl returns the following error message:

  Error: Validation failed: Project non-existing-project not found

• If a user does not have permission to apply or delete role bindings in a project—for example, using a command like this:

  sloctl delete rolebinding project-editor-anna -p existing-project-ref

  sloctl returns the following error message:

  Error: The user does not have permission to delete the role-binding-project in project existing-project-ref.

• If a user does not have permission to apply or delete role bindings in an organization—for example, with a command like the following:

  sloctl apply -f ./samples/roles/sample-role-binding.yaml

  sloctl returns the following error message:

  Error: The user does not have permissions to apply role-binding-organization in the organization some-organization-name.

• If a user tries to delete a role binding from a project that does not exist, as shown here:

  sloctl delete rolebinding project-editor-anna -p not-existing-project-ref

  sloctl returns the following error message:

  Error: Project 'not-existing-project-ref' was not found.

• If a user tries to delete an organization-level role binding:

  sloctl delete rolebinding organization-user-anna

  sloctl returns the following error message:

  Error: deleting organizational role bindings is not allowed

note

sloctl will return the same error when you attach an -A flag to the sloctl delete <rolebinding_name>.

Useful links

RoleBinding