Skip to content

Managing cluster users and roles in TCM #4423

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Aug 13, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 1 addition & 3 deletions doc/tooling/tcm/index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -38,9 +38,7 @@ to read data. LDAP authorization is supported as well.

tcm_ui_overview
tcm_connect_clusters
tcm_cluster_config
tcm_cluster_monitoring
tcm_cluster_metrics
tcm_cluster_management/index
tcm_cluster_data_access
tcm_access_control
tcm_audit_log
Expand Down
20 changes: 20 additions & 0 deletions doc/tooling/tcm/tcm_cluster_management/index.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
.. _tcm_cluster_management:

Cluster management
==================

.. include:: ../index.rst
:start-after: ee_note_tcm_start
:end-before: ee_note_tcm_end

The main goal of |tcm_full_name| is to provide visual tools for managing
various aspects of Tarantool clusters from the browser. See the pages of this section
to learn how to perform various management operations on Tarantool clusters from |tcm|.

.. toctree::
:maxdepth: 1

tcm_cluster_state
tcm_cluster_config
tcm_cluster_users
tcm_cluster_metrics
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
Configuring clusters
====================

.. include:: index.rst
.. include:: ../index.rst
:start-after: ee_note_tcm_start
:end-before: ee_note_tcm_end

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
Viewing cluster metrics
=======================

.. include:: index.rst
.. include:: ../index.rst
:start-after: ee_note_tcm_start
:end-before: ee_note_tcm_end

Expand Down
Original file line number Diff line number Diff line change
@@ -1,9 +1,13 @@
.. _tcm_cluster_monitoring:
.. _tcm_cluster_state:

Cluster monitoring
==================
Viewing cluster state
=====================

|tcm_full_name| provides means for monitoring various aspects of connected clusters,
.. include:: ../index.rst
:start-after: ee_note_tcm_start
:end-before: ee_note_tcm_end

|tcm_full_name| provides a visual interface for checking various aspects of connected clusters,
such as:

* topology
Expand All @@ -12,17 +16,17 @@ such as:
* data distribution
* Tarantool versions

Cluster monitoring tools are available on the **Cluster** > **Stateboard** page.
Cluster state information is available on the **Cluster** > **Stateboard** page.

.. _tcm_cluster_monitoring_topology:
.. _tcm_cluster_state_topology:

Cluster topology
----------------

The cluster topology is displayed on the **Stateboard** page in one of two forms:
a list or a graph.

.. _tcm_cluster_monitoring_topology_list:
.. _tcm_cluster_state_topology_list:

List view
~~~~~~~~~
Expand All @@ -37,7 +41,7 @@ to filter the instances with the selected versions and states.

To switch to the list view, click the list button on the right of the search bar on the **Stateboard** page.

.. _tcm_cluster_monitoring_topology_graph:
.. _tcm_cluster_state_topology_graph:

Graph view
~~~~~~~~~~
Expand All @@ -49,7 +53,7 @@ which is helpful for larger clusters.

To switch to the graph view, click the graph button on the right of the search bar on the **Stateboard** page.

.. _tcm_cluster_monitoring_topology_group:
.. _tcm_cluster_state_topology_group:

Instance grouping
~~~~~~~~~~~~~~~~~
Expand All @@ -66,7 +70,7 @@ you see if issues happen in a specific data center or server.
To change the instance grouping, click **Group by** in the **Actions** menu on the **Stateboard** page.
Then add or remove grouping criteria.

.. _tcm_cluster_monitoring_topology_filters:
.. _tcm_cluster_state_topology_filters:

Filtering
~~~~~~~~~
Expand All @@ -81,7 +85,7 @@ at the top. It has predefined filters that select:

To display all instances, delete the filter applied in the search bar.

.. _tcm_cluster_monitoring_instance_details:
.. _tcm_cluster_state_instance_details:

Instance details
----------------
Expand All @@ -104,10 +108,10 @@ find:
Additionally, on the instance details page there is a terminal in which you can execute
arbitrary Lua code on the instance.

.. _tcm_cluster_monitoring_urls:
.. _tcm_cluster_state_urls:

Additional monitoring services
------------------------------
Linked external services
------------------------

When you :ref:`connect a cluster <tcm_connect_clusters>` to |tcm|, you can specify
URLs of external services linked to this cluster. For example, this can be a Grafana
Expand Down
88 changes: 88 additions & 0 deletions doc/tooling/tcm/tcm_cluster_management/tcm_cluster_users.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
.. _tcm_cluster_users:

Managing cluster users and roles
================================

.. include:: ../index.rst
:start-after: ee_note_tcm_start
:end-before: ee_note_tcm_end

|tcm_full_name| provides a visual interface for managing Tarantool users and roles
on connected clusters.

.. note::

This page describes management of :ref:`Tarantool users and roles <access_control>`
on instances of connected clusters. To learn to manage |tcm| users, see :ref:`tcm_access_control`.

The :ref:`Tarantool access model <access_control>` defines user access to entities
inside a single instance. Thus, to create or alter a cluster-wide user or role, you need to
do this on all cluster instances. In replication clusters, changes in access model
are possible only on read-write instances (replica set leaders). Changes made on
a leader instance are propagated to all instances of its replica set automatically.

Operations on the cluster access model are possible only if the :ref:`user <tcm_connect_clusters_parameters_tarantool>`
that |tcm| uses to connect to the cluster has the privileges to manage users and roles.

You can also manage Tarantool users and roles from |tcm| using the Lua API
as described in :ref:`access_control`. To do this, connect to instance consoles
from the **Terminal** tab of the instance page.

.. _tcm_cluster_users_users:

Managing cluster users
----------------------

The tools for managing cluster users are located on the **Users** tab
of the :ref:`instance page <tcm_ui_instance>`.

.. important::

To ensure the access model consistency across the cluster, repeat all user
management operations on all read-write instances of the cluster.

To create a user on a cluster:

#. Go to **Stateboard**.
#. Find a replica set leader in the instances list and click it to open the instance page.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Find a replica set leader

Nit: It would be convenient to have a link to the page where a reader can understand how to find a leader (crown icon).

#. Go to the **Users** tab and click **Add user**.

To edit or delete a user, click the **Edit** or **Delete** button against the username
in the **Users** table.

To edit a user's privileges:

#. Click the lock icon against the username in the **Users** table.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#. Click the lock icon against the username in the **Users** table.
#. Click the **Grants** button (the lock icon) against the username in the **Users** table.

#. In the privileges dialog:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#. In the privileges dialog:
#. In the **Grants** dialog:


- Click **Add** to grant privileges
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Click **Add** to grant privileges
- Click **Add grant** to grant privileges

- Click **Revoke** (the trash bin icon) to revoke a privilege

.. _tcm_cluster_users_roles:

Managing cluster roles
----------------------

The tools for managing cluster roles are located on the **Users** tab
of the :ref:`instance page <tcm_ui_instance>`.

.. important::

To ensure the access model consistency across the cluster, repeat all role
management operations on all read-write instances of the cluster.

To create a role on a cluster:

#. Go to **Stateboard**.
#. Find a replica set leader in the instances list and click it to open the instance page.
#. Go to the **Users** tab and click **Add role**.

To delete a role, click the **Delete** button against the role name in the **Roles** table.

To edit a role's privileges:

#. Click the lock icon against the role name in the **Roles** table.
#. In the privileges dialog:

- Click **Add** to grant privileges
- Click **Revoke** (the trash bin icon) to revoke a privilege
4 changes: 4 additions & 0 deletions doc/tooling/tcm/tcm_connect_clusters.rst
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@ Connection parameters
When connecting a cluster to |tcm|, you need to provide two sets of connection parameters:
for the cluster instances and for the centralized configuration storage.

.. _tcm_connect_clusters_parameters_storage:

Configuration storage connection
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Expand All @@ -50,6 +52,8 @@ provide the corresponding encryption configuration: keys, certificates, and othe
parameters. For the complete list of parameters, consult the `etcd documentation <https://etcd.io/docs/v3.5/op-guide/configuration/#security>`__
or Tarantool :ref:`enterprise-iproto-encryption`.

.. _tcm_connect_clusters_parameters_tarantool:

Cluster connection
~~~~~~~~~~~~~~~~~~

Expand Down
2 changes: 1 addition & 1 deletion doc/tooling/tcm/tcm_releases/tcm_1.0.rst
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ the selected cluster:
From the stateboard, you can navigate to specific instances to view their details
or connect to their interactive consoles.

To learn more, see :ref:`tcm_cluster_monitoring`.
To learn more, see :ref:`tcm_cluster_state`.

.. _tcm_releases_1_0_config:

Expand Down
2 changes: 1 addition & 1 deletion doc/tooling/tcm/tcm_releases/tcm_1.2.rst
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ cluster through the |tcm| web interface.
The tools for managing Tarantool users on a cluster instance are located on the
**Users** tab of the instance page.

Learn more about Tarantool access model in :ref:`access_control`.
Learn more about managing Tarantool users from |tcm| in :ref:`tcm_cluster_users`.

.. _tcm_releases_1_2_migrations:

Expand Down
5 changes: 3 additions & 2 deletions doc/tooling/tcm/tcm_ui_overview.rst
Original file line number Diff line number Diff line change
Expand Up @@ -124,7 +124,7 @@ On this page, you can:
by clicking instance names in the cluster topology list
- start and stop instances (in the development mode).

Learn more about using the cluster stateboard in :ref:`tcm_cluster_monitoring`.
Learn more about using the cluster stateboard in :ref:`tcm_cluster_state`.

.. _tcm_ui_instance:

Expand All @@ -144,7 +144,8 @@ It provides a set of tabs for performing actions on the selected Tarantool insta
or as a console output of ``box.cfg``, ``box.info``, and other built-in functions
- **SQL** and **Terminal** tabs: run SQL and Lua commands on the instance
- **Logs** tab: view instance logs
- **Slab stats** tab: view :ref:`slab allocator <memtx-memory>` statistics
- **Slabs** tab: view :ref:`slab allocator <memtx-memory>` statistics
- **Users** tab: manage Tarantool :ref:`users and roles <tcm_cluster_users>` on the instance
- **Funcs**: manage and call stored functions
- **Metrics**: view instance metrics

Expand Down
Loading