×
Authorization
Overview
Role-based Access Control (RBAC) objects determine whether a user is allowed to perform a given action within a project.
It allows developers to use local roles and bindings to control who has access to their projects. Note that authorization is a separate step from authentication, which is more about determining the identity of who is taking the action.
Authorization is managed using:
Sets of permitted verbs on a set of
objects. For example, whether something can
|
|
Collections of rules. Users and groups can be associated with, or bound to, multiple roles at the same time. |
|
Associations between users and/or groups with a role. |
The relationships between cluster roles, local roles, cluster role bindings, local role bindings, users, groups and service accounts are illustrated below.
Evaluating Authorization
Several factors are combined to make the decision when OpenShift Online evaluates authorization:
In the context of authorization, both the user name and list of groups the user belongs to. |
|||||||
The action being performed. In most cases, this consists of:
|
|||||||
Bindings |
The full list of bindings. |
OpenShift Online evaluates authorizations using the following steps:
-
The identity and the project-scoped action is used to find all bindings that apply to the user or their groups.
-
Bindings are used to locate all the roles that apply.
-
Roles are used to find all the rules that apply.
-
The action is checked against each rule to find a match.
-
If no matching rule is found, the action is then denied by default.
Collaboration
In OpenShift Online Pro, you can grant roles (like view or edit) to other users or groups for your projects.
See Project Collaboration in OpenShift Online Pro for information on adding and removing collaborators.
In OpenShift Online Starter, collaboration is not available.