manage
show-minimum-rbac
Extended description
If you don't want to give an instance administrator the default admin
role on
the projects that are associated with an instance of Cloud Pak for Data, you can use the show-minimum-rbac
command to show the minimum role-based access control
(RBAC) for the components that you plan to install.
The show-minimum-rbac
command provides an alternative
method for authorizing an user to act as an instance administrator. However, this method is
recommended only if you are not willing to grant the roles described in Authorizing a user to act as an
IBM Cloud Pak for Data instance administrator.
show-minimum-rbac
method requires
substantial planning and maintenance:- You must run this command based on the services that you plan to install in an instance. For example:
- Instance 1 will include IBM® Knowledge Catalog, Data Privacy, AI Factsheets, Watson™ Studio, and SPSS® Modeler
- Instance 2 will include IBM Knowledge Catalog, Data Privacy, Watson Studio, RStudio® Server Runtimes
In this scenario, the minimum RBAC requirements for each instance are different because the services that you plan to install in the instances are different.
- You must run this command based on the version of Cloud Pak for Data that you are installing. A service might introduce a new resource at any time, so you must run the command based on the version that you want to install to ensure that the instance administrator has sufficient permissions on the instance.
- When you want to upgrade an instance, you must re-run the command based on the version that you want to upgrade to.
This command generates the following YAML files:
${ROLE_NAME}-cpd-instance-admin.${VERSION}.yaml
- This YAML file defines the minimum privileges that an instance administrator must have to
create, modify, and view the Kubernetes and Red Hat® OpenShift® Container Platform resources that are associated with an
instance of Cloud Pak for Data.
You can use this file to create the
${ROLE_NAME}-cpd-instance_admin
role. ${ROLE_NAME}-cpd-instance-crs.${VERSION}.yaml
- This YAML file defines the minimum privileges that am instance administrator must have to
install, modify, and view the custom resources that are associated with an instance of Cloud Pak for Data.
The list of custom resources in the YAML file depends on the components that you plan to install in the instance.
You can use this file to create the
${ROLE_NAME}-cpd-instance-crs
role. nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS}.yaml
- This YAML file defines the minimum privileges that the
NamespaceScope
operator must have to manage the projects associated with an instance of Cloud Pak for Data.The role does not contain any wildcard characters.
The role must be applied to all projects that are associated with the instance.
The list of resources depends on the components that you plan to install in the instance.
You can use this file to create the
nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS}
role.
The YAML files are saved to the work
directory.
- Giving a user the minimum RBAC to install the scheduling service
- Giving the NamespaceScope operator the minimum RBAC to manage an instance Cloud Pak for Data
- Giving a user the minimum RBAC to setup and install Cloud Pak for Data
- Giving a user the minimum RBAC to install Cloud Pak for Data components
Syntax
cpd-cli manage show-minimum-rbac \
--components=<comma-separated-list-of-component-names> \
--release=<version> \
[--role_name=<role-name>] \
[--cpd_operator_ns=<project-name>]
Arguments
The show-minimum-rbac
command has no arguments.
Options
Option | Description |
---|---|
--components |
A comma-separated list of the components that you want to install or
upgrade.
|
--cpd_operator_ns |
The project where you want to install the operators for this instance
of Cloud Pak for Data.
|
--release |
The release that you want to install or upgrade
to.
|
--role_name |
The unique name to use to identify the
role. The value is used as a prefix for the YAML files and for the roles defined in the YAML files.
|
Examples
It is strongly recommended that you use a script to create environment variables with the correct values for your environment. For details, see Best practice: Setting up installation environment variables.
- Create the YAML files that define the minimum role-based access control for the specified components at the specified release
-
cpd-cli manage show-minimum-rbac \ --components=${COMPONENTS} \ --release=${VERSION} \ --role_name=${ROLE_NAME}