RBAC management using APIs
The IBM Spectrum® Discover resource-based access control (RBAC) is a REST API service that enables role-based access to the IBM Spectrum Discover services. This service uses OpenStack Keystone as a backend for providing Identity and Access Management (IAM) across multiple domains that are attached to the IBM Spectrum Discover.
The authentication service uses a default user with user name sdadmin and password Passw0rd in the domain named default. This user has the administrative role and can be used to create other users and user groups, register new domains with the authentication service, create projects, and assign roles to the users at project or domain level.
The following are the predefined user roles with the corresponding access levels:
- admin
- Default user role created by the system. Users with this role can create other users, projects, domains, and assign roles. Users with this role cannot see metadata records.
- dataadmin
- The users with this role can see all metadata records across projects.
- datauser
- This role is ideal for a researcher or data scientist. Users with this role can see records that are associated with projects to which they belong.
- serviceuser
- This user role intended for service personnel. Users with this role have read only access to the system logs.
IBM Spectrum Discover integrates with the enterprise LDAP connected to IBM Spectrum Scale. Using the authentication service APIs, admin users can add an LDAP domain definition to IBM Spectrum Discover. The users and groups from the registered LDAP domain are automatically imported into IBM Spectrum Discover and the administrators can add these users and groups to different projects while assigning them the datauser role.
Admin users can also assign the dataadmin role to some of the users and user groups to give access to the entire IBM Spectrum Discover index for searches and policies.
The authentication API service endpoint has the following basic structure:
https://<host address>/auth/v1/<endpoint>
For example, the following endpoint gets authentication token for the users: curl -k -u
<user>:<pass> https://<host address>/auth/v1/token