scalectl authorization command

Create and manage the role-based access control (RBAC).

Synopsis

scalectl authorization cani [--action {update | link | unmount | cani | stop | create | delete | get | unlink | mount | impersonate | start | restripe}][--as {username}][--resource {ResourceEndpoint}]
Or
scalectl authorization domain {create [--file {json_filepath}] | delete {domain_name} |get {domain_name} | list [-n {MaxItemNumber}] [-x] [-p {PageSize}] [-t {PageToken}] | update {DomainName} [-F]}
Or
scalectl authorization module {get | update [-F {FilePath}]}

Availability

Available on all IBM Storage Scale editions.

Description

Use the scalectl authorization command to create and manage the role-based access control (RBAC).

Parameters

cani
Tests whether a user is allowed to access an endpoint. To run this command, you must have the RBAC permission for the cani action on the /scalemgmt/v3/authorization/cani resource.
-a or --action {update | link | unmount | cani | stop | create | delete | get | unlink | mount | impersonate | start | restripe}
Tests access against a specified action on an endpoint. The possible values to test access are update, link, unmount, cani, stop, create, delete, get, unlink, mount, impersonate, start, and restripe. The default value is create.
--as {UserName}
Specifies the name of the user to test access.
-r or --resource {ResourceEndpoint}
Specifies the resource endpoint to test access.
domain
Creates and manages RBAC domains. A domain consists of the following components:
  • Resources: A resource is represented as a URL endpoint. This URL endpoint represents a file system, fileset, disk, NSD, and so on. A wildcard (*) can be used to match on any resource. For example, /scalemgmt/v3/filesystems/fs0/filesets/* can match on any filesets in the file system fs0 for the specified action.
  • Actions: Actions are the various operations that can be performed on a specific resource. Not all actions apply to every resource. The supported actions are create, delete, get, update, link, unlink, mount, unmount, start, stop, restripe and cani or impersonate.
  • User: The person making the request.
  • Effect: The rule that allows or denies access. Rule evaluation follows these conditions:
    • Default deny.
    • The system checks for an allow rule that matches the request.
    • If an explicit deny rule exists, it overrides an allow rule.
    To grant permission, there must be an explicit allow rule without a conflicting deny rule. The deny rule is useful when using wildcards (*), allowing all actions except those explicitly denied.
  • Time: The time of the request.
  • Membership: Membership is the relationship between a user and their role within a domain.
  • Permission: The relationship between a role, action, effect, and resource within a domain.
  • Resource group: A collection of resources that can be reused in various roles.
  • Attribute: Attribute is used for an advanced use case to define custom attributes that can be evaluated for Attribute-Based Access Control (ABAC).
create
Creates an RBAC domain. A domain is a logical grouping of resources, users/roles, and actions. No built-in restrictions on which resources can be included in a domain. To run this command, you must have the RBAC permission for the create action on the /scalemgmt/v3/authorization/domains resource.
-F or --file {FilePath}
Specifies the JSON-formatted domain file path.
delete {DomainName}
Deletes an existing RBAC domain. To run this command, you must have the RBAC permission for the delete action on the /scalemgmt/v3/authorization/domains/{name} resource.
get {DomainName}
Retrieves information about a single RBAC domain. To run this command, you must have the RBAC permission for the get action on the /scalemgmt/v3/authorization/domains/{name} resource.
list
Retrieves information about all RBAC domains. To run this command, you must have the RBAC permission for the get action on the /scalemgmt/v3/authorization/domains/ resource.
-n or --max-items {MaxItemNumber}
Specifies the maximum number of items to list at a time.
-x or --no-pagination
Disables pagination tokens on the client side.
-p or --page-size {PageSize}
Specifies the number of items to list per API request.
-t or --page-token {PageToken}
Specifies the page token that is received from previous authorization list command. You can provide this page token to retrieve the next page.
update {DomainName}
Updates an existing an RBAC domain. To run this command, you must have the RBAC permission for the update action on the /scalemgmt/v3/authorization/domains/{name} resource. The following fields cannot be changed in any domain:
  • ID
  • If within the StorageScaleDomain:
    • IBM Storage Scale permissions: SecurityAdmin and administrator.
    • IBM Storage Scale resource groups: allEndpoints.
Attempting to modify these fields does not cause a failure, but the submitted domain information omits these changes.
-F or --file {FilePath}
Specifies the JSON-formatted domain file path.
module
Gets and updates the entirety of the RBAC module rules.
get
Get the entirety of the RBAC module rules.
update
Replaces the entirety of the RBAC module rules. To run this command, you must have the RBAC permission for the update action on the /scalemgmt/v3/authorization/module resource.
-F or --file {FilePath}
Specifies the full path to update the module file.

Global flags

Use the following global flags with any scalectl command and subcommand:
--bearer
If true, reads the OIDC_TOKEN from the environment and sends it as the authorization bearer header for the request. Use this flag with the --url option.
--user-cert {Certificate}
Specifies the path to the client certificate file for authentication.
--user-cacert {CA_Certificate}
Specifies the path to the certificate authority (CA) trust chain to validate a server certificate.
--debug {Filepath[="stderr"]}
Enables the debug logging for the current request. Accepts an absolute file path to store logs by using --debug=<file>. If no file path is specified, logs are sent to stderr.
-h or --help
Lists the help for scalectl commands.
--domain {DomainName}
Sets the domain for the request. The default value is StorageScaleDomain.
--insecure-skip-tls-verify
If true, skips to verify the server certificate for validity. This option makes HTTPS connections insecure.
--json
Displays output in JSON format.
Note: When you use the --json flag with an endpoint method that is a long-running operation (LRO), the LRO is submitted to the LRO manager, which handles its lifecycle. The lifecycle includes accepting, running, and monitoring operations. Although the command request returns quickly, you must ensure that the submitted operation reaches a Done state. Review any metadata that is associated with the request to ensure that it completed successfully. This step is especially important for endpoint methods that have follow-on methods. These follow-on methods are valid only if the initial method completed successfully. For more information about LRO, see Long-running operations.
--user-key {PrivateKeyFile}
Specifies the path to the client certificate private key file for authentication.
--url {ip_address}
Sends the request over HTTPS to the specified endpoint <FQDN/IP>:<port>. For IPv6 address, use square brackets. For example, [IPv6]:<port>. If no port specified, 46443 is used by default.
--version
Specifies the scalectl build information. The --version flag is valid only with the top-level scalectl command.

Exit status

0
Successful completion.
nonzero
A failure occurred.

Security

You must have the specific role-based access control (RBAC) permission to run the command. For more information, see Role-based access control.

Examples

  1. To list all available domains, issue the following command: 
    scalectl authorization domain list
    A sample output is as follows:
    DOMAIN       |     ROLE      | USER  |   ACTION    |          RESOURCE          | ALLOWED
==============================================================================================
  StorageScaleDomain | SecurityAdmin | root  | create      | /scalemgmt/*               | allow
  StorageScaleDomain | SecurityAdmin | root  | create      | /scalemgmt/*/*             | allow
  StorageScaleDomain | SecurityAdmin | root  | create      | /scalemgmt/*/*/*           | allow
  StorageScaleDomain | SecurityAdmin | root  | create      | /scalemgmt/*/*/*/*         | allow
  StorageScaleDomain | SecurityAdmin | root  | create      | /scalemgmt/*/*/*/*/*       | allow
  StorageScaleDomain | SecurityAdmin | root  | create      | /scalemgmt/*/*/*/*/*/*     | allow
  StorageScaleDomain | SecurityAdmin | root  | create      | /scalemgmt/*/*/*/*/*/*/*   | allow
  StorageScaleDomain | SecurityAdmin | root  | create      | /scalemgmt/*/*/*/*/*/*/*/* | allow
  StorageScaleDomain | SecurityAdmin | root  | delete      | /scalemgmt/*               | allow
  StorageScaleDomain | SecurityAdmin | root  | delete      | /scalemgmt/*/*             | allow
  StorageScaleDomain | SecurityAdmin | root  | delete      | /scalemgmt/*/*/*           | allow
  StorageScaleDomain | SecurityAdmin | root  | delete      | /scalemgmt/*/*/*/*         | allow
  StorageScaleDomain | SecurityAdmin | root  | delete      | /scalemgmt/*/*/*/*/*       | allow
  StorageScaleDomain | SecurityAdmin | root  | delete      | /scalemgmt/*/*/*/*/*/*     | allow
  StorageScaleDomain | SecurityAdmin | root  | delete      | /scalemgmt/*/*/*/*/*/*/*   | allow
  StorageScaleDomain | SecurityAdmin | root  | delete      | /scalemgmt/*/*/*/*/*/*/*/* | allow
  StorageScaleDomain | SecurityAdmin | root  | get         | /scalemgmt/*               | allow
  StorageScaleDomain | SecurityAdmin | root  | get         | /scalemgmt/*/*             | allow
  StorageScaleDomain | SecurityAdmin | root  | get         | /scalemgmt/*/*/*           | allow
  StorageScaleDomain | SecurityAdmin | root  | get         | /scalemgmt/*/*/*/*         | allow
  StorageScaleDomain | SecurityAdmin | root  | get         | /scalemgmt/*/*/*/*/*       | allow
  StorageScaleDomain | SecurityAdmin | root  | get         | /scalemgmt/*/*/*/*/*/*     | allow
  StorageScaleDomain | SecurityAdmin | root  | get         | /scalemgmt/*/*/*/*/*/*/*   | allow
  StorageScaleDomain | SecurityAdmin | root  | get         | /scalemgmt/*/*/*/*/*/*/*/* | allow
  2. To create a new domain, issue the following command: 
    scalectl authorization domain create -F ~/json/domain6.json
    A sample output is as follows:
    DOMAIN  |     ROLE      | USER | ACTION |         RESOURCE          | ALLOWED
============================================================================
  domain6 | SecurityAdmin | bob  | create | /scalemgmt/v3/filesystems | allow
  3. To delete the RBAC domain, issue the following command: 
    scalectl authorization domain delete domain3
    A sample output is as follows:
    Successfully deleted domain 'domain3'
  4. To test whether a user has create access for the specified endpoints, issue the following command: 
    scalectl authorization cani -a create -r '/scalemgmt/v3/filesystems'
    A sample output is as follows:
    attribute | value
========================================
  Allowed   | true
  User      | root
  Action    | create
  Resource  | /scalemgmt/v3/filesystems
  5. To get details of RBAC module rules, issue the following command: 
     scalectl authorization module get
    A sample output is as follows:
    MODULE
==================================
package scale.rbac.external

import future.keywords.if

evaluate(domain, request) if {
  true
}
  6. To update the entirety of the RBAC module rules, issue the following command: 
     scalectl authorization module update -F ~/module.rego
    A sample output is as follows:
    MODULE
==================================
package scale.rbac.external

import future.keywords.if

evaluate(domain, request) if {
  true
}

See also

Location

/usr/lpp/mmfs/bin