Skip to main content

RoleBinding - YAML

Reading time: 0 minute(s) (0 words)

Organization Admins can manage users in their organization and Project Owners can manage users in their projects through the sloctl tool using a RoleBinding.

Assumptions and Validations​

  • A single RoleBinding object allows the definition of the relation between exactly one user and exactly one role.

  • For organization roles (e.g., organization-admin, organization-viewer, organization-user, organization-responder), the projectRef field defined on the spec level must be empty. Otherwise, an error is returned.

  • New project and RoleBinding can be applied in one YAML file. However, if a roleBinding is applied to a project that doesn't exist on an organization level and the definition of the new project is not present in the yaml, sloctl will return an error (see below for details).

  • Only one project role can be defined for a given project for any given user (for example, it is impossible to be a project-owner and a project-editor of the same project).

  • The system does not verify whether the user ID in the user field is valid or not. Any non-empty string is acceptable.

  • Organization roles cannot be removed by any user. If a user tries to delete an organization-level role, an error is returned.

  • If a RoleBinding instance already exists for some user in a given context (project or organization), it is impossible to update the existing role binding for another user. In such an instance, an error is returned.

  • If another RoleBinding for the user that is identified by Spec.UserID already exists in the given context (project or role), an error is returned.

  • The roleRef and user fields are required. The projectRef field is optional, but if this field is not empty and points to a nonexisting project, an error is returned. The value in the roleRef field must be an existing role name.

Applying Organization Role Bindings​

You can configure an organization-level RoleBinding for a given user in sloctl as shown here:

apiVersion: n9/v1alpha
kind: RoleBinding
metadata:
   name: organization-admin-adam
spec:
   roleRef: organization-admin # Existing organization role (since projectRef is empty)
   user: 00u3ywkof3cTkMLOH4x7 # User ID from Okta, available in the UI in Settings > Users
note

The user ID for the user field can be retrieved from Settings > Account and Settings > Access Controls in the UI:

Image 1: User ID for the user field

Applying Project Role Bindings​

You can configure a project-level RoleBinding for a given user in sloctl as shown here:

apiVersion: n9/v1alpha
kind: RoleBinding
metadata:
    name: project-owner-adam # Must be a unique string, see notes below
spec:
    projectRef: default # Must refer to an existing Project
    roleRef: project-owner # Must be an existing Project role
    user: 00u3ywkof3cTkMLOH4x7 # Okta User ID

Specifications for metadata[ ].name:

  • The name must follow conventions defined in DNS RFC 1123. Refer to YAML Guide for further details.
  • If you create RoleBinding manually with sloctl, you can put any valid string for the name.
  • The name must be unique in an Organization (for the Organization roles) or a Project (for the Project roles).
  • RoleBinding created with sloctl is edited in Nobl9 UI. If you create project-owner-adam with sloctl, this object will be available on the Settings > Access Controls tab list in the UI. Then, you can edit the project-owner-adam object on the Users list.
  • If you configure a role in the UI first, it will generate a UUID for the name, and you need to get the RoleBinding through sloctl.

You can create new project and RoleBinding by applying one YAML file. Let's assume that the datadog-project doesn't exist in your organization. When you apply the following YAML file in sloctl:

apiVersion: n9/v1alpha
kind: Project
metadata:
  name: datadog-project
spec:
  description: ""
---
apiVersion: n9/v1alpha
kind: RoleBinding
metadata:
  name: role-binding-name
spec:
  user: 00u3ywkof3cTkMLOH4x7
  roleRef: project-viewer
  projectRef: datadog-project

You will create both the datadog-project and a RoleBinding related to it.

Deleting Role Bindings​

You can't delete RoleBinding object for the organizational level roles through the sloctl delete command.

To delete the project RoleBinding, you must to specify the project (unless it is in the default project from active context). You can do this by adding a -p flag and specifying a project to which the RoleBinding is tied:

sloctl delete rolebindings <rolebinding_name> -p <project_name>

For more information, refer to sloctl user guide or run a sloctl delete rolebindings --help command in your terminal.

Validation Errors​

The following are common errors related to role binding that users may experience in sloctl:

  • If a role does not exist in an organization context (if projectRef is not defined, and the system expects to find an organization-level role type), as in this example:

    apiVersion: n9/v1alpha
    kind: RoleBinding
    metadata:
        name: organization-admin-adam
    spec:
       roleRef: not-existing-project-ref
       user: 00u3ywkof3cTkMLOH4x7

    sloctl returns the following error message:

    Error: Applying RoleBinding 'organization-admin-adam' failed because the object referenced in the field RoleRef 'not-existing-project-ref' could not be found in the given context (expected 'Organization' role type).

  • If a role does not exist in a project context (if projectRef is defined, and the system expects to find a project role type), as in this example:

    apiVersion: n9/v1alpha
    kind: RoleBinding
    metadata:
        name: organization-admin-adam
    spec:
        projectRef: default
        roleRef: organization-admin
        user: 00u3ywkof3cTkMLOH4x7

    sloctl returns the following error message:

    Error: Applying RoleBinding 'organization-admin-adam' failed because the object referenced in the field RoleRef 'organization-admin' could not be found in the given context (expected existing 'Project' role type).

  • If a RoleBinding already exists for another user, as in this example:

    ---
    apiVersion: n9/v1alpha
    kind: RoleBinding
    metadata:
        name: organization-admin-adam
    spec:
        roleRef: organization-admin
        user: 00u3ywkof3cTkMLOH4x7
    ---
    apiVersion: n9/v1alpha
    kind: RoleBinding
    metadata:
        name: organization-admin-adam
    spec:
        roleRef: organization-admin
        user: 00u3ywkof3cTkMLOH4x8

    sloctl returns the following error message:

    Error: Validation failed because RoleBinding ('organization-admin-adam') already exists for another user in the given context.

  • If a RoleBinding already exists for a given user in a given context, as in this case:

    ---
    apiVersion: n9/v1alpha
    kind: RoleBinding
    metadata:
        name: project-owner-anna
    spec:
        projectRef: default
        roleRef: project-owner
        user: 00u3ywkof3cTkMLOH4x7
     ---
    apiVersion: n9/v1alpha
    kind: RoleBinding
    metadata:
            name: project-owner-anna-2
    spec:
        projectRef: default
        roleRef: project-owner
        user: 00u3ywkof3cTkMLOH4x7

    sloctl returns the following error message:

    Error: Validation failed because another RoleBinding ('project-owner-anna-2') already exists for user 00u3ywkof3cTkMLOH4x7 in the given context.

  • If a project does not exist in an organization context and a user tries to apply YAML, as in the example below:

    - apiVersion: n9/v1alpha
    kind: RoleBinding
    metadata:
        name: project-editor-dans-gmail
    spec:
        user: 00u3ekkyumwqMRdwk417
        roleRef: organization-user
        projectRef: non-existing-project

    sloctl returns the following error message:

    Error: Validation failed: Project `non-existing-project` not found

  • If a user does not have permission to apply or delete role bindings in a projectβ€”for example, using a command like this:

    sloctl delete rolebinding project-editor-anna -p existing-project-ref

    sloctl returns the following error message:

    Error: The user does not have permission to delete the role-binding-project in project existing-project-ref.

  • If a user does not have permission to apply or delete role bindings in an organizationβ€”for example, with a command like the following:

    sloctl apply -f ./samples/roles/sample-role-binding.yaml

    sloctl returns the following error message:

    Error: The user does not have permissions to apply role-binding-organization in the organization some-organization-name.

  • If a user tries to delete a role binding from a project that does not exist, as shown here:

    sloctl delete rolebinding project-editor-anna -p not-existing-project-ref

    sloctl returns the following error message:

    Error: Project 'not-existing-project-ref' was not found.

  • If a user tries to delete an organization-level role binding:

    sloctl delete rolebinding organization-user-anna

    sloctl returns the following error message:

    Error: deleting organizational role bindings is not allowed

note

sloctl will return the same error when you attach an -A flag to the sloctl delete <rolebinding_name>.

RoleBinding | Nobl9 Terraform Documentation

Last updated on