Merge branch 'main' into dhartunian-patch-1

cockroachdb · May 15, 2024 · 47ff0d6 · 47ff0d6
2 parents 6bb2e21 + 44c69c0
commit 47ff0d6
Show file tree

Hide file tree

Showing 10 changed files with 67 additions and 77 deletions.
diff --git a/src/current/_data/cloud_releases.csv b/src/current/_data/cloud_releases.csv
@@ -84,3 +84,4 @@ date,sha
 2024-04-09,null
 2024-04-17,null
 2024-04-18,null
+2024-05-12,null
diff --git a/src/current/_includes/cockroachcloud/first-org-user-roles.md b/src/current/_includes/cockroachcloud/first-org-user-roles.md
@@ -1,3 +1,10 @@
 {{site.data.alerts.callout_info}}
-The user who creates a new organization is assigned a combination of Org Administrator, Billing Coordinator, and Cluster Admin at the organization scope. Any of these roles may subsequently be removed, although another user must have the Org Administrator role and the Cluster Admin role at the organization scope, before either of those can be removed. This is to ensure that at least one user has each of these roles.
+The user who creates a new organization is assigned the following [roles]({% link cockroachcloud/authorization.md %}#organization-user-roles) at the organization scope:
+
+- [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator)
+- [Billing Coordinator]({% link cockroachcloud/authorization.md %}#billing-coordinator)
+- [Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator)
+- [Folder Administrator]({% link cockroachcloud/authorization.md %}#folder-admin)
+
+Any of these roles may subsequently be removed by a user with both the Org Administrator role and the Cluster Admin role at the organization scope. This is to ensure that at least one user has both of these roles.
 {{site.data.alerts.end}}
diff --git a/src/current/_includes/cockroachcloud/limitations/limitation-ccloud-folders.md b/src/current/_includes/cockroachcloud/limitations/limitation-ccloud-folders.md
@@ -0,0 +1 @@
+- It is not possible to use the `ccloud` command to view the {% if page.name == 'ccloud-get-started.md' %} [folder]({% link cockroachcloud/folders.md %}){% else %}folder{% endif %} structure, move a cluster or folder into or out of a folder, or assign the `FOLDER_ADMIN` or `FOLDER_MOVER` roles.
diff --git a/src/current/_includes/cockroachcloud/org-roles/folder-admin.md b/src/current/_includes/cockroachcloud/org-roles/folder-admin.md
@@ -0,0 +1,5 @@
+    A {% if page.name == 'authorization.md' %}**Folder Admin**{% else %}[**Folder Admin**]({% link cockroachcloud/authorization.md %}#folder-admin){% endif %} can create, rename, and move, or delete folders where they are granted the role, and they can also manage access to these folders. This role can be granted at the level of the organization or on a specific folder. If granted at the level of the organization, the role grants the ability to view all users and service accounts in the organization. If granted on a specific folder, the role is inherited by descendant folders.
+
+    A user with the {% if page.name == 'authorization.md' %}[Org Administrator](#org-administrator){% else %}[Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator){% endif %} role can grant themselves, another user, or a service account the Folder Admin role.
+
+    To create or manage clusters in a folder, a Folder Admin also needs the {% if page.name == 'authorization.md' %}[Cluster Administrator](#cluster-administrator) or [Cluster Creator](#cluster-creator){% else %}[Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) or [Cluster Creator]({% link cockroachcloud/authorization.md %}#cluster-creator){% endif %} role on that folder directly or by inheritance. To delete a cluster, the Cluster Administrator role is required on the cluster directly or by inheritance.
diff --git a/src/current/_includes/cockroachcloud/org-roles/folder-mover.md b/src/current/_includes/cockroachcloud/org-roles/folder-mover.md
@@ -0,0 +1,7 @@
+    A {% if page.name == 'authorization.md' %}**Folder Mover**{% else %}[**Folder Mover**]({% link cockroachcloud/authorization.md %}#folder-mover){% endif %} can rename or move descendant folders, and can move clusters within the folder hierarchy where they have the role. However, a Folder Mover cannot create or delete folders or clusters, and cannot assign roles. A Folder Mover can move clusters within the folder hierarchy even if they do not have a role that allows them to connect to the cluster, such as {% if page.name == 'authorization.md' %}[Cluster Creator](#cluster-creator) or [Cluster Operator](#cluster-operator){% else %}[Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) or [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator{% endif %}).
+
+    {{site.data.alerts.callout_info}}
+    A cluster cannot be renamed.
+    {{site.data.alerts.end}}
+
+    A user with the {% if page.name == 'authorization.md' %}[Org Administrator](#org-administrator) or [Folder Admin](#folder-admin){% else %}[Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) or [Folder Admin]({% link cockroachcloud/authorization.md %}#folder-admin){% endif %} role can grant another user or a service account the Folder Mover role. Because the Folder Admin role is a superset of Folder Mover, there is no need for a Folder Admin to grant themselves the Folder Mover role.
diff --git a/src/current/_includes/releases/cloud/2024-05-12.md b/src/current/_includes/releases/cloud/2024-05-12.md
@@ -0,0 +1,7 @@
+## May 12, 2024
+
+<h3 id="2024-05-12-security-updates"> Security updates </h3>
+
+- [Folders]({% link cockroachcloud/folders.md %}) are now available in [preview](https://www.cockroachlabs.com/docs/stable/cockroachdb-feature-availability).
+- The initial [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) is now automatically assigned the [Folder Admin]({% link cockroachcloud/authorization.md %}#folder-admin) role.
+- A [Folder Admin]({% link cockroachcloud/authorization.md %}#folder-admin) can now view all users and service accounts.
diff --git a/src/current/cockroachcloud/authorization.md b/src/current/cockroachcloud/authorization.md
@@ -21,15 +21,16 @@ In CockroachDB {{ site.data.products.cloud }}, an organization corresponds to an
 
 CockroachDB {{ site.data.products.cloud }} has a hierarchical authorization model, where roles can be assigned at different scopes:
 
-1. Organization: Each CockroachDB {{ site.data.products.cloud }} organization has a set of roles defined on it, which allow users to perform administrative tasks relating to the management of clusters, organization users, SQL users, and billing.
-1. Folder: If an organization is enrolled in [CockroachDB {{ site.data.products.cloud }} Folders (Limited Access)]({% link cockroachcloud/folders.md %}), roles can be assigned on folders. Role inheritance is transitive; a role granted on the organization or a folder is inherited by descendent resources.
-1. Cluster: Each CockroachDB cluster defines its own set of SQL users and roles which grant them permission to execute SQL statements on the cluster.
+1. Organization: Each CockroachDB {{ site.data.products.cloud }} organization has a set of [roles](#organization-user-roles) defined on it, which allow users to perform administrative tasks relating to the management of clusters, organization users, SQL users, and billing.
+1. Folder: [roles](#organization-user-roles) can be assigned on folders. Role inheritance is transitive; a role granted on the organization or a folder is inherited by descendent resources.
 
-The levels within the hierarchy intersect, because administrating SQL-level users on specific clusters within an organization is an organization-level function.
+    {{site.data.alerts.callout_success}}
+    Organizing clusters using folders is available in [Public Preview]({% link v23.1/cockroachdb-feature-availability.md %}#feature-availability-phases). To learn more, refer to [Organize {{ site.data.products.db }} Clusters Using Folders]({% link cockroachcloud/folders.md %}).
+    {{site.data.alerts.end}}
 
-{{site.data.alerts.callout_success}}
-Organizing clusters using folders is available in [Limited Access]({% link v23.1/cockroachdb-feature-availability.md %}#feature-availability-phases). To learn more, refer to [Organize {{ site.data.products.db }} Clusters Using Folders]({% link cockroachcloud/folders.md %}).
-{{site.data.alerts.end}}
+1. Cluster: Each CockroachDB cluster defines its own set of [SQL users](https://www.cockroachlabs.com/docs/stable/authorization#create-cockroachdb-users) and [roles](https://www.cockroachlabs.com/docs/stable/authorization#create-and-manage-roles) which manage permission to execute SQL statements on the cluster.
+
+The levels within the hierarchy intersect, because administering SQL-level users on specific clusters within an organization is an organization-level function.
 
 For the main pages covering users and roles at the SQL level within a specific database cluster, refer to:
 
@@ -38,7 +39,7 @@ For the main pages covering users and roles at the SQL level within a specific d
 
 ## Organization user roles
 
-When a user is first added to an organization, they are granted the default role, **Org Member**, which grants no permissions and only indicates membership in the organization. Org or Cluster Administrators may edit the roles assigned to organization users in the CockroachDB {{ site.data.products.cloud }} console's [**Access Management** page](https://cockroachlabs.cloud/access), or using the CockroachDB {{ site.data.products.cloud }} API /Terraform Provider.
+When a user is first added to an organization, they are granted the default role, **Org Member**, which grants no permission and only indicates membership in the organization. Org or Cluster Administrators may [edit the roles assigned to organization users]({% link cockroachcloud/managing-access.md %}#change-a-team-members-role) in the CockroachDB {{ site.data.products.cloud }} console's [**Access Management** page](https://cockroachlabs.cloud/access), or using the CockroachDB {{ site.data.products.cloud }} API or Terraform Provider.
 
 {% include_cached cockroachcloud/first-org-user-roles.md %}
 
@@ -48,7 +49,7 @@ The following CockroachDB {{ site.data.products.cloud }} organization roles can
 
 ### Organization Member
 
-This default role is granted to all organization users once they are invited. It grants no permissions to perform cluster or organization actions.
+This default role is granted to all organization users when they are invited or provisioned. It grants no permissions to perform cluster or organization actions.
 
 ### Org Administrator
 
@@ -133,33 +134,13 @@ This role can be granted at the scope of the organization, on an individual clus
 
 ### Folder Admin
 
-{{site.data.alerts.callout_success}}
-{% include_cached feature-phases/limited-access.md %}
-{{site.data.alerts.end}}
-
-This role is available only when your organization is enrolled in the [Folders]({% link cockroachcloud/folders.md %}) Limited Access.
-
-Folder Admins can create, rename, and move, or delete folders where they are granted the role, and they can also manage access to these folders. This role can be granted at the level of the organization or on a specific folder. If granted on a specific folder, the role is inherited by descendent folders.
-
-An [Org Administrator](#org-administrator) role can grant any user or service account the Folder Admin role.
-
-To create a cluster in a folder, the user must also have the Cluster Administrator or [Cluster Creator](#cluster-creator) role on that folder. To delete a cluster, the user must have the Cluster Administrator role, either on the cluster directly or by inheritance.
-
-This role can be granted at the scope of the organization, on an individual cluster, or on a folder. If granted on a folder, it is inherited on the folder's clusters, descendent folders, and their descendants.
+{% capture folder_admin_docs %}{% include cockroachcloud/org-roles/folder-admin.md %}{% endcapture %}
+{{ folder_admin_docs | strip }}
 
 ### Folder Mover
 
-{{site.data.alerts.callout_success}}
-{% include_cached feature-phases/limited-access.md %}
-{{site.data.alerts.end}}
-
-This role is available only when your organization is enrolled in the [Folders]({% link cockroachcloud/folders.md %}) Limited Access.
-
-Folder Movers can rename folders and move resources within them, but cannot create or delete folders, and cannot manage access to folders or clusters. To move a folder, you must have permission on both the current location and the target location. Folder Movers and Folder Admins have this permission.
-
-A user with the [Org Administrator](#org-administrator) or the [Folder Admin](#folder-admin) role can grant themselves, another user, or a service account the Folder Mover role.
-
-This role can be granted at the scope of the organization, on an individual cluster, or on a folder. If granted on a folder, it is inherited on the folder's clusters, descendent folders, and their descendants.
+{% capture folder_mover_docs %}{% include cockroachcloud/org-roles/folder-mover.md %}{% endcapture %}
+{{ folder_mover_docs | strip }}
 
 ## Service accounts
 

diff --git a/src/current/cockroachcloud/ccloud-get-started.md b/src/current/cockroachcloud/ccloud-get-started.md
@@ -358,19 +358,19 @@ Using SSO login requires that a separate SSO SQL user for your account is create
 To create a SSO SQL user:
 
 1. Connect to the cluster using the `--sso` flag.
-   
+
     {% include_cached copy-clipboard.html %}
     ~~~ shell
     ccloud cluster sql --sso blue-dog
     ~~~
 
 1. Log in to your organization when prompted by `ccloud`.
 1. Copy the command in the error message to create the SSO SQL user with the correct username.
-   
+
     You must have `admin` privileges to create the SSO SQL user.
 
 1. Create the SSO SQL user by pasting and running the command you copied.
-   
+
     For example, if the command in the error message creates a `sso_maxroach` user:
 
     {% include_cached copy-clipboard.html %}
@@ -516,3 +516,6 @@ Cockroach Labs collects anonymized telemetry events to improve the usability of
 ccloud settings set --disable-telemetry=true
 ~~~
 
+## Limitations
+
+- {% include cockroachcloud/limitations/limitation-ccloud-folders.md %}