docs/doc/source/security/kubernetes/configure-users-groups-and-authorization.rst


.. rzl1582124533847
.. _configure-users-groups-and-authorization:

==========================================
Configure Users, Groups, and Authorization
==========================================

You can create a **user**, and optionally one or more **groups** that the
**user** is a member of, in your Windows Active Directory server.

.. rubric:: |context|

The example below is for a **testuser** user who is a member of the,
**billingDeptGroup**, and **managerGroup** groups. See `Microsoft
documentation on Windows Active Directory
<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/vi
rtual-dc/active-directory-domain-services-overview>`__ for additional
information on adding users and groups to Windows Active Directory.

Use the following procedure to configure the desired authorization on
|prod-long| for the user or the user's group\(s):

.. rubric:: |proc|


.. _configure-users-groups-and-authorization-steps-b2f-ck4-dlb:

#.  In |prod-long|, bind Kubernetes |RBAC| role\(s) for the **testuser**.

    For example, give **testuser** admin privileges, by creating the
    following deployment file, and deploy the file with :command:`kubectl
    apply -f` <filename>.

    .. code-block:: none

        kind: ClusterRoleBinding
        apiVersion: rbac.authorization.k8s.io/v1
        metadata:
         name: testuser-rolebinding
        roleRef:
         apiGroup: rbac.authorization.k8s.io
         kind: ClusterRole
         name: cluster-admin
        subjects:
        - apiGroup: rbac.authorization.k8s.io
          kind: User
          name: testuser


    Alternatively, you can bind Kubernetes |RBAC| role\(s) for the group\(s)
    of the **testuser**.

    For example, give all members of the **billingDeptGroup** admin
    privileges, by creating the following deployment file, and deploy the
    file with :command:`kubectl apply -f` <filename>.

    .. code-block:: none

        kind: ClusterRoleBinding
        apiVersion: rbac.authorization.k8s.io/v1
        metadata:
         name: testuser-rolebinding
        roleRef:
         apiGroup: rbac.authorization.k8s.io
         kind: ClusterRole
         name: cluster-admin
        subjects:
        - apiGroup: rbac.authorization.k8s.io
          kind: Group
          name: billingDeptGroup
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`.. rzl1582124533847`
			`.. _configure-users-groups-and-authorization:`

			`==========================================`
			`Configure Users, Groups, and Authorization`
			`==========================================`

			`You can create a user, and optionally one or more groups that the`
			`user is a member of, in your Windows Active Directory server.`

			`.. rubric:: \|context\|`

			`The example below is for a testuser user who is a member of the,`
			billingDeptGroup, and managerGroup groups. See `Microsoft
			`documentation on Windows Active Directory`
			`<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/vi`
			rtual-dc/active-directory-domain-services-overview>`__ for additional
			`information on adding users and groups to Windows Active Directory.`

			`Use the following procedure to configure the desired authorization on`
Remove spurious escapes (r8,dsR8) This change addresses a long-standing issue in rST documentation imported from XML. That import process added backslash escapes in front of various characters. The three most common being '(', ')', and '_'. These instances are removed. Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Id43a9337ffcd505ccbdf072d7b29afdb5d2c997e 2023-02-28 14:02:05 +00:00			`\|prod-long\| for the user or the user's group\(s):`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`.. rubric:: \|proc\|`


			`.. _configure-users-groups-and-authorization-steps-b2f-ck4-dlb:`

Remove spurious escapes (r8,dsR8) This change addresses a long-standing issue in rST documentation imported from XML. That import process added backslash escapes in front of various characters. The three most common being '(', ')', and '_'. These instances are removed. Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Id43a9337ffcd505ccbdf072d7b29afdb5d2c997e 2023-02-28 14:02:05 +00:00			`#. In \|prod-long\|, bind Kubernetes \|RBAC\| role\(s) for the testuser.`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`For example, give testuser admin privileges, by creating the`
			following deployment file, and deploy the file with :command:`kubectl
			apply -f` <filename>.

			`.. code-block:: none`

			`kind: ClusterRoleBinding`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`metadata:`
			`name: testuser-rolebinding`
			`roleRef:`
			`apiGroup: rbac.authorization.k8s.io`
			`kind: ClusterRole`
			`name: cluster-admin`
			`subjects:`
			`- apiGroup: rbac.authorization.k8s.io`
			`kind: User`
			`name: testuser`


Remove spurious escapes (r8,dsR8) This change addresses a long-standing issue in rST documentation imported from XML. That import process added backslash escapes in front of various characters. The three most common being '(', ')', and '_'. These instances are removed. Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Id43a9337ffcd505ccbdf072d7b29afdb5d2c997e 2023-02-28 14:02:05 +00:00			`Alternatively, you can bind Kubernetes \|RBAC\| role\(s) for the group\(s)`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00			`of the testuser.`

			`For example, give all members of the billingDeptGroup admin`
			`privileges, by creating the following deployment file, and deploy the`
			file with :command:`kubectl apply -f` <filename>.

			`.. code-block:: none`

			`kind: ClusterRoleBinding`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`metadata:`
			`name: testuser-rolebinding`
			`roleRef:`
			`apiGroup: rbac.authorization.k8s.io`
			`kind: ClusterRole`
			`name: cluster-admin`
			`subjects:`
			`- apiGroup: rbac.authorization.k8s.io`
			`kind: Group`
			`name: billingDeptGroup`