Role Based Access Control
How it works
There are five entities in Parseable Access Control model - Action
, Privilege
, Resource
, Role
and User
. Below section explains each of these entities in detail.
-
Actions: Each API corresponds to an Action on the Parseable server.
-
Privilege: It is a group of allowed actions. Actions and Privileges are predefined within a Parseable server instance. Current Privileges are
Admin
,Editor
,Writer
,Reader
andIngester
. Below is the list of Privileges and corresponding allowed actions.- Admin: All Actions.
- Editor: Ingest, Query, CreateStream, ListStream, GetSchema, GetStats, GetRetention, PutRetention, PutAlert, GetAlert.
- Writer: Ingest, Query, ListStream, GetSchema, GetStats, GetRetention, PutAlert, GetAlert.
- Reader: Query, ListStream, GetSchema, GetStats, GetRetention, GetAlert.
- Ingester: Ingest.
-
Resources: Log streams are Resources. Each Resource has a unique name. For example, a log stream with name
my_stream
is a Resource. -
Roles: Roles are dynamic, named entities on a Parseable server instance. Each role has a set of privileges and resources associated with it. A role can be assigned to several users. A user can have multiple roles assigned to it.
-
Users: Users refer to human or machine entities that can perform actions on a Parseable server instance. Each user has a unique username and password. A user can be assigned one or more roles.
User passwords are hashed and stored in Parseable metadata file. Parseable does not store the password in plain text.
Get started
Creating a Role
This is the first step in setting up Role Based Access Control (RBAC) for Parseable. Use the Create Role API to create a role. The Create Role API request body requires the role definition in JSON format. Below examples demonstrate sample JSON for different types of role and privileges.
- Role JSON with Admin Privilege
[
{
"privilege": "admin"
}
]
- Role JSON with Editor Privilege
[
{
"privilege": "editor"
}
]
- Role JSON with Writer Privilege: The
Writer
privilege is resource specific. A user with above role json, will be able to call the Writer specific API only on the specified resource. In the above example, the user will be able to call Writer specific API onbackend
andfrontend
log streams only.
[
{
"privilege": "writer",
"resource": {
"stream": "backend"
}
},
{
"privilege": "writer",
"resource": {
"stream": "frontend"
}
}
]
- Role JSON with Ingester Privilege: The
Ingester
privilege is resource specific. A user with above role json, will be able to call the Ingester specific API only on the specified resource. In the above example, the user will be able to call Ingester specific API onbackend
andfrontend
log streams only. This privilege is useful to be set in log agents, forwarders, and other log ingestion tools.
[
{
"privilege": "ingester",
"resource": {
"stream": "backend"
}
},
{
"privilege": "ingester",
"resource": {
"stream": "frontend"
}
}
]
- Role JSON with Reader Privilege: The
Reader
privilege is resource specific. A user with above role json, will be able to call the Reader specific API only on the specified resources. In the above example, the user will be able to call Reader specific API onfrontend
log stream, and only on events with tagsource=web
.
[
{
"privilege": "reader",
"resource": {
"stream": "frontend",
"tag": "source=web" // optional field
}
}
]
Creating User
To create a User
, use the Create User API. Here you can optionally pass a request body that has appropriate role name (as explained in the role section) to assign a role to the user.
After successful Create User API call, you'll get the user's password in the response. Keep it in a safe place as this is the only time server will return the password in plain text.
Assign a role
To assign a role to a user after creating a user, use the Assign Role API. This API takes the username and role name as input. After a successful API call, the user will be able to perform actions allowed by the assigned role.
Reset password
In any case if you need to reset password for a user. This can be done through Reset Password API.
Delete user
To delete a user, use the Delete User API. This API will delete the user and all the roles assigned to it.
For managing roles for your OAuth2 users, refer to OIDC section. Roles are automatically assigned by matching the role name with group name that is obtained to groups claim in the id token.