mirror of https://github.com/docker/docs.git
226 lines
8.0 KiB
Markdown
226 lines
8.0 KiB
Markdown
---
|
|
title: Deploy a service and restrict access with RBAC
|
|
description: Create a grant to control access to a service.
|
|
keywords: ucp, grant, role, permission, authentication
|
|
redirect_from:
|
|
- /ucp/
|
|
ui_tabs:
|
|
- version: ucp-3.0
|
|
orhigher: true
|
|
- version: ucp-2.2
|
|
orlower: true
|
|
---
|
|
|
|
{% if include.ui %}
|
|
{% if include.version=="ucp-3.0" %}
|
|
|
|
## Deploy Kubernetes workload and restrict access
|
|
This section is under construction.
|
|
|
|
## Deploy Swarm service and restrict access
|
|
|
|
In this example, your organization is granted access to a new resource
|
|
collection that contains one Swarm service.
|
|
|
|
1. Create an organization and a team.
|
|
2. Create a collection for the view-only service.
|
|
3. Deploy a Swarm serivce.
|
|
4. Create a grant to manage user access to the collection.
|
|
|
|
|
|
|
|
|
|
### Create an organization
|
|
|
|
Create an organization with one team, and add one user who isn't an administrator
|
|
to the team.
|
|
|
|
1. Log in to UCP as an administrator.
|
|
2. Navigate to the **Organizations & Teams** page and click
|
|
**Create Organization**. Name the new organization `engineering` and
|
|
click **Create**.
|
|
3. Click **Create Team**, name the new team `Dev`, and click **Create**.
|
|
3. Add a non-admin user to the Dev team.
|
|
|
|
For more, see: [Learn how to create users and teams](usermgmt-create-subjects.md).
|
|
|
|
|
|
### Create a collection for the service
|
|
|
|
1. Navigate to the **Collections** page to view all of the resource
|
|
collections in the swarm.
|
|
2. Find the **Shared** collection and click **View children**.
|
|
3. Click **Create collection** and name the collection `View-only services`.
|
|
4. Click **Create** to create the collection.
|
|
|
|
|
|
|
|
The `/Shared/View-only services` collection is ready to use for access
|
|
control.
|
|
|
|
### Deploy a service
|
|
|
|
Currently, the new collection has no resources assigned to it. To access
|
|
resources through this collection, deploy a new service and add it to the
|
|
collection.
|
|
|
|
1. Navigate to the **Services** page and create a new service, named
|
|
`WordPress`.
|
|
2. In the **Image** textbox, enter `wordpress:latest`. This identifies the
|
|
most recent WordPress image in the Docker Store.
|
|
3. In the left pane, click **Collection**. The **Swarm** collection appears.
|
|
4. Click **View children** to list all of the collections. In **Shared**,
|
|
Click **View children**, find the **View-only services** collection and
|
|
select it.
|
|
5. Click **Create** to add the "WordPress" service to the collection and
|
|
deploy it.
|
|
|
|
|
|
|
|
You're ready to create a grant for controlling access to the "WordPress" service.
|
|
|
|
### Create a grant
|
|
|
|
Currently, users who aren't administrators can't access the
|
|
`/Shared/View-only services` collection. Create a grant to give the
|
|
`engineering` organization view-only access.
|
|
|
|
> A grant is made up of a *subject*, a *role*, and a *resource collection*.
|
|
|
|
1. Navigate to the **Grants** page and click **Create Grant**.
|
|
2. In the left pane, click **Collections**, navigate to **/Shared/View-only services**,
|
|
and click **Select Collection**.
|
|
3. Click **Roles**, and in the dropdown, select **View Only**.
|
|
4. Click **Subjects**, and under **Select subject type**, click **Organizations**.
|
|
In the dropdown, select **engineering**.
|
|
5. Click **Create** to grant permissions to the organization.
|
|
|
|
|
|
|
|
Everything is in place to show role-based access control in action.
|
|
|
|
### Verify the user's permissions
|
|
|
|
Users in the `engineering` organization have view-only access to the
|
|
`/Shared/View-only services` collection. You can confirm this by logging in
|
|
as a non-admin user in the organization and trying to delete the service.
|
|
|
|
1. Log in as the user who you assigned to the Dev team.
|
|
2. Navigate to the **Services** page and click **WordPress**.
|
|
3. In the details pane, confirm that the service's collection is
|
|
**/Shared/View-only services**.
|
|
|
|
|
|
|
|
4. Click the checkbox next to the **WordPress** service, click **Actions**,
|
|
and select **Remove**. You get an error message, because the user
|
|
doesn't have `Service Delete` access to the collection.
|
|
|
|
{% elsif include.version=="ucp-2.2" %}
|
|
|
|
## Deploy Swarm service and restrict access
|
|
|
|
In this example, your organization is granted access to a new resource
|
|
collection that contains one Swarm service.
|
|
|
|
1. Create an organization and a team.
|
|
2. Create a collection for the view-only service.
|
|
3. Deploy a Swarm serivce.
|
|
4. Create a grant to manage user access to the collection.
|
|
|
|
|
|
|
|
|
|
### Create an organization
|
|
|
|
Create an organization with one team, and add one user who isn't an administrator
|
|
to the team.
|
|
|
|
1. Log in to UCP as an administrator.
|
|
2. Navigate to the **Organizations & Teams** page and click
|
|
**Create Organization**. Name the new organization `engineering` and
|
|
click **Create**.
|
|
3. Click **Create Team**, name the new team `Dev`, and click **Create**.
|
|
3. Add a non-admin user to the Dev team.
|
|
|
|
For more, see: [Learn how to create users and teams](usermgmt-create-subjects.md).
|
|
|
|
|
|
### Create a collection for the service
|
|
|
|
1. Navigate to the **Collections** page to view all of the resource
|
|
collections in the swarm.
|
|
2. Find the **Shared** collection and click **View children**.
|
|
3. Click **Create collection** and name the collection `View-only services`.
|
|
4. Click **Create** to create the collection.
|
|
|
|
|
|
|
|
The `/Shared/View-only services` collection is ready to use for access
|
|
control.
|
|
|
|
### Deploy a service
|
|
|
|
Currently, the new collection has no resources assigned to it. To access
|
|
resources through this collection, deploy a new service and add it to the
|
|
collection.
|
|
|
|
1. Navigate to the **Services** page and create a new service, named
|
|
`WordPress`.
|
|
2. In the **Image** textbox, enter `wordpress:latest`. This identifies the
|
|
most recent WordPress image in the Docker Store.
|
|
3. In the left pane, click **Collection**. The **Swarm** collection appears.
|
|
4. Click **View children** to list all of the collections. In **Shared**,
|
|
Click **View children**, find the **View-only services** collection and
|
|
select it.
|
|
5. Click **Create** to add the "WordPress" service to the collection and
|
|
deploy it.
|
|
|
|
|
|
|
|
You're ready to create a grant for controlling access to the "WordPress" service.
|
|
|
|
### Create a grant
|
|
|
|
Currently, users who aren't administrators can't access the
|
|
`/Shared/View-only services` collection. Create a grant to give the
|
|
`engineering` organization view-only access.
|
|
|
|
> A grant is made up of a *subject*, a *role*, and a *resource collection*.
|
|
|
|
1. Navigate to the **Grants** page and click **Create Grant**.
|
|
2. In the left pane, click **Collections**, navigate to **/Shared/View-only services**,
|
|
and click **Select Collection**.
|
|
3. Click **Roles**, and in the dropdown, select **View Only**.
|
|
4. Click **Subjects**, and under **Select subject type**, click **Organizations**.
|
|
In the dropdown, select **engineering**.
|
|
5. Click **Create** to grant permissions to the organization.
|
|
|
|
|
|
|
|
Everything is in place to show role-based access control in action.
|
|
|
|
### Verify the user's permissions
|
|
|
|
Users in the `engineering` organization have view-only access to the
|
|
`/Shared/View-only services` collection. You can confirm this by logging in
|
|
as a non-admin user in the organization and trying to delete the service.
|
|
|
|
1. Log in as the user who you assigned to the Dev team.
|
|
2. Navigate to the **Services** page and click **WordPress**.
|
|
3. In the details pane, confirm that the service's collection is
|
|
**/Shared/View-only services**.
|
|
|
|
|
|
|
|
4. Click the checkbox next to the **WordPress** service, click **Actions**,
|
|
and select **Remove**. You get an error message, because the user
|
|
doesn't have `Service Delete` access to the collection.
|
|
|
|
{% endif %}
|
|
|
|
### Where to go next
|
|
|
|
- [Isolate volumes between two different teams](isolate-volumes-between-teams.md)
|
|
{% endif %}
|