RBAC overview in FlashArray
Summary and Key concepts
Summary:
This article details Portworx's Role-Based Access Control (RBAC) and security models, explaining how Portworx uses RBAC for both cluster and volume operations. It covers key concepts such as authentication, authorization, and ownership, all of which are managed using JSON Web Tokens (JWT). The article also explains the creation of tokens, ownership models, and different roles, including system administrators and guest users. Additionally, it outlines how tokens are generated, how they are validated, and how claims within a token control access. Built-in roles like system.admin
and system.guest
are also explained, and their behavior in managing access to volumes is discussed.
Kubernetes Concepts:
Portworx Concepts:
Portworx supports Role-based Access Control (RBAC) over both cluster operations and volume operations. The platform provides namespace-granular, role-based authentication, authorization, and ownership in addition to volume encryption.
This document walks you through the different components used to secure Portworx through RBAC.
General considerations
Portworx RBAC centers around the ubiquitous JWT based authentication and authorization model. This technology is currently used by most major internet sites and applications, providing a proven secure model for user and account identification.
A token is generated by a token authority and signed using either a private key or a shared secret. Then, the user provides the token to Portworx for identification. No passwords are ever sent to Portworx.
This secure model enables Portworx to need to verify only the validity of the token to authenticate the user. Portworx then destroys the token ensuring that tokens are never saved on a Portworx system.
The token contains a section called claims which identifies the user and provides authorization information in the form of RBAC. Portworx uses the RBAC information to determine if the user is authorized to make the request.