Getting Started with RBAC
TODO: Tutorial to run through end to end basic usage of Kessel with very basic demo/toy code, using the client libraries. Use the Tabs component to show code examples with different tabs for language (e.g. python vs go).
NOTE: This prose is placeholder. Feel free to update.
Quick start
Section titled âQuick startâConfigure Resources
Section titled âConfigure ResourcesâA new installation of Kessel begins as a blank slate. To integrate a Resource (e.g. for access control), you have to configure a Resource schema.
Configure a basic resource that ties into RBAC for permissions. Following is an example of a Host schema configured by HBI.
-
Author schemas
host/common_representation.json {"$schema": "http://json-schema.org/draft-07/schema#","type": "object","properties": {"workspace_id": {"type": "string"}},"required": ["workspace_id"]}host/config.yaml resource_type: hostresource_reporters:- hbihost/reporters/hbi/config.yaml resource_type: hostreporter_name: hbinamespace: hbihost/reporters/hbi/host.json {"$schema": "http://json-schema.org/draft-07/schema#","type": "object","properties": {"insights_inventory_id": {"type": "string","format": "uuid"}},"required": []}path/to/resource_relationships_schema.ksl ksl for resourcepath/to/rbac.ksl ksl for rbac -
Compile to SpiceDB schema
Terminal window however you do that
Install and run Kessel with RBAC
Section titled âInstall and run Kessel with RBACâ-
Start Kessel Inventory
Terminal window git clone git@github.com:project-kessel/inventory-api.gitcd inventory-apimake inventory-up-relations-ready -
Start Relations and SpiceDB
Terminal window git clone git@github.com:project-kessel/relations-api.gitcd relations-apicurl -o deploy/schema.zed https://raw.githubusercontent.com/RedHatInsights/rbac-config/refs/heads/master/configs/prod/schemas/schema.zedmake relations-api-up -
Start RBAC
TODO. For now we will create the Relationships directly
-
Start Kessel Inventory
Terminal window bonfire deploy kessel -C kessel-inventory -
Load Schema
Terminal window oc apply -f https://gist.githubusercontent.com/akoserwal/a061a2959862caa653aa8c8836db874b/raw/7cd73fd045ed8f30c850349bb7ff3264b2d35c8e/spicedb-schema-configmap.yaml -
Fetch the API URL and Credentials
Terminal window bonfire namespace describe -
Enable port forwarding to Kessel Inventory
Terminal window oc port-forward svc/kessel-inventory-api <your local port>:9000 -n <Name of current project from step 3>oc port-forward svc/kessel-relations-api <your local port>:9000 -n <Name of current project from step 3>
Set up access with RBAC
Section titled âSet up access with RBACâ- Link workspace to role binding
Terminal window MESSAGE='{"tuples":[{"resource":{"id":"a64d17d0-aec3-410a-acd0-e0b85b22c076","type":{"name":"workspace","namespace":"rbac"}},"relation":"binding","subject":{"subject":{"id":"it_team_a","type":{"name":"role_binding","namespace":"rbac"}}}}]}'grpcurl -plaintext -d $MESSAGE \localhost: <your local port for relations> \kessel.relations.v1beta1.KesselTupleService.CreateTuples - Grant permission to all principals
Terminal window MESSAGE='{"tuples":[{"resource":{"id":"inventory_hosts_admin","type":{"name":"role","namespace":"rbac"}},"relation":"inventory_hosts_read","subject":{"subject":{"id":"*","type":{"name":"principal","namespace":"rbac"}}}}]}'grpcurl -plaintext -d $MESSAGE \localhost: <your local port for relations> \kessel.relations.v1beta1.KesselTupleService.CreateTuples - Link the role binding to a role
Terminal window MESSAGE='{"tuples":[{"resource":{"id":"it_team_a","type":{"name":"role_binding","namespace":"rbac"}},"relation":"role","subject":{"subject":{"id":"inventory_hosts_admin","type":{"name":"role","namespace":"rbac"}}}}]}'grpcurl -plaintext -d $MESSAGE \localhost: <your local port for relations> \kessel.relations.v1beta1.KesselTupleService.CreateTuples - Link the user sarah to the role binding
Terminal window MESSAGE='{"tuples":[{"resource":{"id":"it_team_a","type":{"name":"role_binding","namespace":"rbac"}},"relation":"subject","subject":{"subject":{"id":"sarah","type":{"name":"principal","namespace":"rbac"}}}}]}'grpcurl -plaintext -d $MESSAGE \localhost: <your local port for relations> \kessel.relations.v1beta1.KesselTupleService.CreateTuples
Import a client
Section titled âImport a clientâTODO: This section will be updated shortly. In the meantime, we will show you how to make calls using grpcurl
pip install whatever-the-package-isgo mod etc etc<maven coords></maven coords>gradle coordsReport resources
Section titled âReport resourcesâTODO: Add examples for all languages
MESSAGE='{"type": "host", "reporterType": "hbi", "reporterInstanceId": "3088be62-1c60-4884-b133-9200542d0b3f","representations": {"metadata": {"localResourceId": "dd1b73b9-3e33-4264-968c-e3ce55b9afec","apiHref": "https://apiHref.com/","consoleHref": "https://www.console.com/","reporterVersion": "2.7.16"},"common": {"workspace_id": "a64d17d0-aec3-410a-acd0-e0b85b22c076"},"reporter": {"insights_inventory_id": "05707922-7b0a-4fe6-982d-6adbc7695b8f"}}}'grpcurl -plaintext -d $MESSAGE \localhost: <your local port for inventory> \kessel.inventory.v1beta2.KesselInventoryService.ReportResourceimport kessel
kessel.ReportResource(...)kessel.ReportResource(...)kessel.ReportResource(...)Enforce access
Section titled âEnforce accessâTODO: Check access
MESSAGE='{"object": {"resourceType": "host", "resourceId": "dd1b73b9-3e33-4264-968c-e3ce55b9afec", "reporter": {"type": "hbi", "instanceId": "3088be62-1c60-4884-b133-9200542d0b3f"}}, "relation": "workspace", "subject": {"resource": {"resourceType": "workspace", "resourceId": "a64d17d0-aec3-410a-acd0-e0b85b22c076", "reporter": {"type": "rbac", "instanceId": "3088be62-1c60-4884-b133-9200542d0b3f"}}}}'grpcurl -plaintext -d $MESSAGE \localhost: <your local port for inventory> \kessel.inventory.v1beta2.KesselInventoryService.Checkimport kessel
kessel.Check(...)kessel.Check(...)kessel.Check(...)