docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
docs/deploy/access-control/deploy-view-only-service.md

8.0 KiB
Raw Blame History

title description keywords redirect_from ui_tabs
Deploy a service and restrict access with RBAC Create a grant to control access to a service. ucp, grant, role, permission, authentication
/ucp/
version orhigher
ucp-3.0 true
version orlower
ucp-2.2 true

{% if include.ui %} {% if include.version=="ucp-3.0" %}

Deploy Kubernetes workload and restrict access

This section is under construction.

Deploy Swarm service and restrict access

In this example, your organization is granted access to a new resource collection that contains one Swarm service.

  1. Create an organization and a team.
  2. Create a collection for the view-only service.
  3. Deploy a Swarm serivce.
  4. Create a grant to manage user access to the collection.

Create an organization

Create an organization with one team, and add one user who isn't an administrator to the team.

  1. Log in to UCP as an administrator.
  2. Navigate to the Organizations & Teams page and click Create Organization. Name the new organization engineering and click Create.
  3. Click Create Team, name the new team Dev, and click Create.
  4. Add a non-admin user to the Dev team.

For more, see: Learn how to create users and teams.

Create a collection for the service

  1. Navigate to the Collections page to view all of the resource collections in the swarm.
  2. Find the Shared collection and click View children.
  3. Click Create collection and name the collection View-only services.
  4. Click Create to create the collection.

The /Shared/View-only services collection is ready to use for access control.

Deploy a service

Currently, the new collection has no resources assigned to it. To access resources through this collection, deploy a new service and add it to the collection.

  1. Navigate to the Services page and create a new service, named WordPress.
  2. In the Image textbox, enter wordpress:latest. This identifies the most recent WordPress image in the Docker Store.
  3. In the left pane, click Collection. The Swarm collection appears.
  4. Click View children to list all of the collections. In Shared, Click View children, find the View-only services collection and select it.
  5. Click Create to add the "WordPress" service to the collection and deploy it.

You're ready to create a grant for controlling access to the "WordPress" service.

Create a grant

Currently, users who aren't administrators can't access the /Shared/View-only services collection. Create a grant to give the engineering organization view-only access.

A grant is made up of a subject, a role, and a resource collection.

  1. Navigate to the Grants page and click Create Grant.
  2. In the left pane, click Collections, navigate to /Shared/View-only services, and click Select Collection.
  3. Click Roles, and in the dropdown, select View Only.
  4. Click Subjects, and under Select subject type, click Organizations. In the dropdown, select engineering.
  5. Click Create to grant permissions to the organization.

Everything is in place to show role-based access control in action.

Verify the user's permissions

Users in the engineering organization have view-only access to the /Shared/View-only services collection. You can confirm this by logging in as a non-admin user in the organization and trying to delete the service.

  1. Log in as the user who you assigned to the Dev team.

  2. Navigate to the Services page and click WordPress.

  3. In the details pane, confirm that the service's collection is /Shared/View-only services.

  4. Click the checkbox next to the WordPress service, click Actions, and select Remove. You get an error message, because the user doesn't have Service Delete access to the collection.

{% elsif include.version=="ucp-2.2" %}

Deploy Swarm service and restrict access

In this example, your organization is granted access to a new resource collection that contains one Swarm service.

  1. Create an organization and a team.
  2. Create a collection for the view-only service.
  3. Deploy a Swarm serivce.
  4. Create a grant to manage user access to the collection.

Create an organization

Create an organization with one team, and add one user who isn't an administrator to the team.

  1. Log in to UCP as an administrator.
  2. Navigate to the Organizations & Teams page and click Create Organization. Name the new organization engineering and click Create.
  3. Click Create Team, name the new team Dev, and click Create.
  4. Add a non-admin user to the Dev team.

For more, see: Learn how to create users and teams.

Create a collection for the service

  1. Navigate to the Collections page to view all of the resource collections in the swarm.
  2. Find the Shared collection and click View children.
  3. Click Create collection and name the collection View-only services.
  4. Click Create to create the collection.

The /Shared/View-only services collection is ready to use for access control.

Deploy a service

Currently, the new collection has no resources assigned to it. To access resources through this collection, deploy a new service and add it to the collection.

  1. Navigate to the Services page and create a new service, named WordPress.
  2. In the Image textbox, enter wordpress:latest. This identifies the most recent WordPress image in the Docker Store.
  3. In the left pane, click Collection. The Swarm collection appears.
  4. Click View children to list all of the collections. In Shared, Click View children, find the View-only services collection and select it.
  5. Click Create to add the "WordPress" service to the collection and deploy it.

You're ready to create a grant for controlling access to the "WordPress" service.

Create a grant

Currently, users who aren't administrators can't access the /Shared/View-only services collection. Create a grant to give the engineering organization view-only access.

A grant is made up of a subject, a role, and a resource collection.

  1. Navigate to the Grants page and click Create Grant.
  2. In the left pane, click Collections, navigate to /Shared/View-only services, and click Select Collection.
  3. Click Roles, and in the dropdown, select View Only.
  4. Click Subjects, and under Select subject type, click Organizations. In the dropdown, select engineering.
  5. Click Create to grant permissions to the organization.

Everything is in place to show role-based access control in action.

Verify the user's permissions

Users in the engineering organization have view-only access to the /Shared/View-only services collection. You can confirm this by logging in as a non-admin user in the organization and trying to delete the service.

  1. Log in as the user who you assigned to the Dev team.

  2. Navigate to the Services page and click WordPress.

  3. In the details pane, confirm that the service's collection is /Shared/View-only services.

  4. Click the checkbox next to the WordPress service, click Actions, and select Remove. You get an error message, because the user doesn't have Service Delete access to the collection.

{% endif %}

Where to go next