This documentaion consist of authorizations available in Devtron
Parts of the documentaion
This is used to assign user to a particular group and user inherits all the permissions granted to this group. The Permission groups
section contains a drop-down of all existing groups on which you have access. This is optional field and more than one groups can be selected for a user.
The advantage of the groups is to define a set of privileges like create, edit, or delete for the given set of resources that can be shared among the users within the group. Users can be added to an existing group to utilize the privileges that it grants. Any access change to group is reflected immediately in user access.
You can select the group which you are creating in the Group permissions
section inside Add users
.
Go to Global configurations
-> Authorization
-> Permission group
and click on Add Group
to create a new group.
Enter the Group Name
and Description
.
Once you have given the group name and group description.
Assign the permissions of groups in the Devtron Apps
, Helm Apps
or Group Chart
permissions section. Manage the project, environment, application and role access the same as we discuss in the user permissions section.
You can add multiple rows for the Devtron Apps
and Helm Apps
Permissions section.
Once you have finished assigning the appropriate permissions for the permission group, click on Save
.
You can edit the permission groups by clicking on the downward arrow.
Then you can edit the permission group here.
Once you are done editing the permission group, click on Save
.
If you want to delete the groups with particular permission group, click on Delete
.
The chart group permissions for the permission groups will be managed in the same way as for the users. For reference, check Manage chart group permissions for users.
Like any enterprise product, Devtron supports fine grained access control to the resources based on
Type of action allowed on the Devtron resources (Create Vs View)
Sensitivity of the data (Editing image Vs Editing memory)
Access can be added to the User either directly or via Groups.
Devtron supports 5 levels of access:
View: User with view
only access has the least privilege. This user can only view combination of environments, applications and helm charts on which access has been granted to the user. This user cannot view sensitive data like secrets used in applications or charts.
Build and Deploy: In addition to view
privilege mentioned in above, user with build and deploy
permission can build and deploy the image of permitted applications and helm charts to permitted environments.
Admin: User with admin
access can create, edit, delete and view permitted applications in permitted projects.
Manager: User with manager
access can do everything that an admin
type user can do, in addition they can also give and revoke access of users for the applications and environments of which they are manager
.
Super Admin: User with super admin
privilege has unrestricted access to all Devtron resources. Super admin can create, modify, delete and view any Devtron resource without any restriction; its like Superman without the weakness of Kryptonite. Super Admin can also add and delete user access across any Devtron resource, add delete git repository credentials, container registry credentials, cluster and environment.
To control the access of User and Group-
Go to the left main panel -> Select Global Configurations
-> Select User Access
Click on Add User
, to add one or multiple users.
When you click on Add User, you will see 6 options to set permission for users which are as follow:
Email addresses
Assign super admin permissions
Group Permissions
Devtron Apps Permissions
Project
Environment
Applications
Roles
Helm Apps Permissions
Project
Environment or cluster/namespace
Applications
Permission
Chart group permissions
In the Email address
box, you have to provide the mail ID of the user to whom you want to give access to your applications.
IMP
Please note that Email address should be same as that in the email
field in the JWT token returned by OIDC provider.
If you check the option Assign super admin permissions
, the user will get full access to your system and the rest of the options will disappear. Please check above to see permission levels. Only users with super admin permissions can assign super admin permissions to a user.
Click on Save
and your user will be saved with super admin permissions.
We suggest that super admin privileges should be given to only select few.
If you don’t want to assign super admin permissions then you have to provide the rest of the information.
Access to devtron applications can be given to user by attaching permission directly to his/her email id through the Devtron Apps
section. This section has 4 options to manage the permissions of your users.
Project
Select a project from the drop-down to which you want to give permission to the users. You can select only one project at a time if you want to select more than one project then click Add row
.
Environment
In the Environment
section, you can select one or more than one or all environments at a time. Click on the environment section, you will see a drop-down of your environments and select any environment on which you want to give permission to the user.
IMP
If all environments
option is selected then user gets access to all current environments and any new environment which gets associated with this application later.
Applications
Similarly, you can select Applications
from the drop-down corresponding to your selected Environments. In this section, you can also give permissions to one or more than one or to all applications at a time.
IMP
If all applications
option is selected then user gets access to all current applications and any new application which gets associated with this project later.
Roles
Inside the Role
, you actually choose which type of permissions you want to give to the users.
There are four different view access levels/Role available for both User and Group as described above:
You can add multiple rows, for Devtron app permission.
Once you have finished assigning the appropriate permissions for the listed users, Click on Save
.
Access to devtron applications can be given to user by attaching permission directly to his/her email id through the Devtron Apps
section. This section has 4 options to manage the permissions of your users.
Project
Select a project from the drop-down to which you want to give permission to the users. You can select only one project at a time if you want to select more than one project then click Add row
.
Environment or cluster/namespace
In the Environment
section, you can select one or more than one or all environments at a time. Click on the environment section, you will see a drop-down of your environments and select any environment on which you want to give permission to the user.
IMP
If all environments
option is selected then user gets access to all current environments and any new environment which gets associated with this application later.
Applications
Similarly, you can select Applications
from the drop-down corresponding to your selected Environments. In this section, you can also give permissions to one or more than one or to all applications at a time.
IMP
If all applications
option is selected then user gets access to all current applications and any new application which gets associated with this project later.
Permission
Inside the Role
, you actually choose which type of permissions you want to give to the users.
There are four different view access levels/Role available for both User and Group as described above:
You can also manage the access of users to Chart Groups in your project.
NOTE: You can only give users the ability to create
or edit
, not both.
Click on the checkbox of Create
, if you want the users to create, view, edit, or delete the chart groups.
To permit a user to only edit
the chart groups, check Specific chart group
from Edit
drop-down. In the following field, select the chart group for which you want to grant the user edit permission.
Go to Edit
drop-down, if you want to allow
or deny
users to edit the chart groups.
Select on Deny
option from the drop-down, if you want to restrict the users to edit the chart groups.
Select the Specific Charts
option from the drop-down and then select the chart groups for which you want to allow users to edit, from the other drop-down menu.
Click on Save
, once you have configured all the required permissions for the users.
You can edit the user permissions, by clicking on the downward arrow
.
Then you can edit the user permissions here.
After you have done editing the user permissions, click on Save
.
If you want to delete the user/users with particular permissions, click on Delete
.
User Roles | View | Create | Edit | Delete | Build & Deploy |
---|---|---|---|---|---|
User Roles | View | Deploy | Edit | Delete |
---|---|---|---|---|
User Roles | Add User Access | Edit User Access | Delete User Access |
---|---|---|---|
User Role | Add Global Config | Edit Global Config | Delete Global Config |
---|---|---|---|
Action | Permissions |
---|---|
View
Yes
No
No
No
No
Build and Deploy
Yes
No
No
No
Yes
Admin
Yes
Yes
Yes
Yes
Yes
Manager
Yes
Yes
Yes
Yes
Yes
Super Admin
Yes
Yes
Yes
Yes
Yes
View Only
Yes
No
No
No
Build and Deploy
Yes
No
No
No
Admin
Yes
Yes
Yes
Yes
Manager
Yes
Yes
Yes
Yes
Super Admin
Yes
Yes
Yes
Yes
Manager
Yes
Yes
Yes
Super Admin
Yes
Yes
Yes
Super Admin
Yes
Yes
Yes
View
Only can view chart groups
Create
Can create, view, edit or delete
Edit
Deny: Can't edit chart groups
Specific chart groups: can edit specific chart group
API tokens are like ordinary OAuth access tokens. They can be used instead of username and password for programmatic access to API. API token allows users to generate API tokens with the desired access. Only super admin users can generate tokens and see generated tokens.
To generate API tokens, go to global configurations -> Authorizations -> API tokens and click on Generate New Token.
Enter a name for the token
Add Description.
Select an Expiration date for the token(7 days, 30 days, 60 days, 90 days, custom and no expiration)
To select a custom expiration date, select Custom
from the drop-down. This will pop-up a calender from where you can select your custom expiration date for the API token.
Assign permissions to the token. To generate a token with super admin permission, select super admin permission.
Or select specific permission if you want to generate a token with a specific role over a particular Devtron app or Helm app or chart group.
Now click on Generate Token.
A pop-up window will appear over the screen from where you can copy the API token.
Once devtron api token has been generated, you can use this token to hit devtron apis using any api testing tool like Jmeter, postman, citrus. Using postman here.
Open postman. Enter the request URL with POST method and under HEADERS, enter the API token as shown in the image below.
Now, under body, provide the api payload as shown below and click on Send.
As soon as you click on send, the create application api will be triggered and a new devtron app will be created as you mentioned in the payload.
To set a new expiration date or to make changes in permissions assigned to the token, we need to update the API token. To update the API token, click over the token name or click on the edit icon.
To set a new expiration date, you can regenerate the API token. Any scripts or applications using this token will need to be updated. To regenerate a token, click on regenerate token. A pop-up window will appear on the screen from where you can select a new expiration date and then click on regenerate token
.
Select a new expiration date and click on regenerated token.
This will generated a new token with new expiration date.
To update API token permissions, give the permissions as you want to and click on update token.
To delete an API token, click on the delete icon. Any applications or scripts using this token will no longer be able to access the Devtron API.