Question about Role-Permissions: How to restrict a user with snapshot permission to one Instance? #31
Description
How to configure roles is not well documented, especially how apiPermissions and resourcePermissions work together.
I want to create a user, who is allowed to create and restore snapshots only for one special instance and not for any other instance.
I have three VPS instances 100123456, 100123457 and 100123458.
The "snapshotmanager" user should be allowed to create snapshots for instance 100123456, but not for the other instances.
What I did:
- Create a Tag "SNAPINST" and assign it to the instance, which should be managed by the user.
- Create a Role "SnapshotManager" which allows "CREATE" and "READ" for the snapshots api restricted to resources tagged with SNAPINST
- Create a User which only has this "SnapshotManager" role
- Verify email
- Create password
cntb create tag --name "SNAPINST"
173123
cntb create tagAssignment 173123 instance 100123456
cntb get tagAssignments 173123
TAGID TAGNAME RESOURCETYPE RESOURCEID RESOURCENAME
173123 SNAPINST instance 100123456 vmd115123
cntb create role --name "snapshotmgr" --permissions "[{\"apiName\" : \"/v1/compute/instances/:instanceId/snapshots\", \"actions\": [\"CREATE\", \"READ\"], \"resources\": [173123]}]"
82345
cntb create user --firstName Snapshot --lastName Manager --email snapshot-manager@example.com --enabled --locale en --roles 82345
9c112233-4455-6677-8899-aabbccddeeff
cntb resendEmailVerification user 9c112233-4455-6677-8899-aabbccddeeff
# click link in email
cntb resetPassword user 9c112233-4455-6677-8899-aabbccddeeff
# click link in email and enter password "abcd-2345"
Now I tried if the user is really restricted to the instance tagged with SNAPINST:
cntb config set-credentials --oauth2-clientid=... --oauth2-client-secret=... --oauth2-user=snapshot-manager@example.com --oauth2-password="abcd-2345"
cntb get instance 100123456
level=error msg="Error while retrieving instance: 403 - Forbidden access to /v1/compute/instances/:instanceId with GET\n"
level=fatal msg="Aborting, due to errors"
That is as expected. The role only grants access to the snapshots api and not to the get instance endpoint.
cntb get snapshots 100123456
SNAPSHOTID NAME DESCRIPTION INSTANCEID CREATEDDATE
snap1688512345 VPS456 snapshot 1 100123456 2023-07-05T18:33:29Z
snap1688512367 VPS456 snapshot 2 100123456 2023-07-05T16:13:22Z
snap1688512389 VPS456 snapshot 3 100123456 2023-07-05T14:52:53Z
That is as expected.
Now I try to get the snapshots for another instance (which is not tagged with "SNAPINST"):
cntb get snapshots 100123457
SNAPSHOTID NAME DESCRIPTION INSTANCEID CREATEDDATE
snap1688555345 VPS457 snapshot 1 100123457 2023-07-05T18:33:29Z
snap1688555367 VPS457 snapshot 2 100123457 2023-07-05T16:13:22Z
That is not, what I wanted. The user should not have access to this instance.
I tried it another way, to hard-code the instance id in the path, when defining the role, but that is not accepted:
cntb create role --name "snapshotmgr2" --permissions "[{\"apiName\" : \"/v1/compute/instances/100123456/snapshots\", \"actions\": [\"CREATE\", \"READ\"]}]"
level=error msg="Error creating role: 400 - Bad Request Cannot find action CREATE for apiName /v1/compute/instances/100123456/snapshots. You can find a list of available apiNames and actions at '/api-permissions'\n"
level=fatal msg="Aborting, due to errors"
So, my question is:
How do I configure a user to get access to snapshots only for one instance?