Skip to content

2024.2.1.0-b81

2024.2.1.0-b81: [BACKPORT 2024.2][PLAT-16129][YBA CLI] RBAC APIs - 1
@Deepti-yb Deepti-yb tagged this 03 Dec 05:50 
Summary:
Add commands corresponding to RBAC APIs.

RBAC Command
```
yba rbac
Manage YugabyteDB Anywhere RBAC (Role-Based Access Control)

Usage:
  yba rbac [flags]
  yba rbac [command]

Available Commands:
  permission  Manage YugabyteDB Anywhere RBAC permissions
  role        Manage YugabyteDB Anywhere RBAC roles

Flags:
  -h, --help   help for rbac

Global Flags:
  -a, --apiToken string    YugabyteDB Anywhere api token.
      --config string      Config file, defaults to $HOME/.yba-cli.yaml
      --debug              Use debug mode, same as --logLevel debug.
      --disable-color      Disable colors in output. (default false)
  -H, --host string        YugabyteDB Anywhere Host (default "http://localhost:9000")
  -l, --logLevel string    Select the desired log level format. Allowed values: debug, info, warn, error, fatal. (default "info")
  -o, --output string      Select the desired output format. Allowed values: table, json, pretty. (default "table")
      --timeout duration   Wait command timeout, example: 5m, 1h. (default 168h0m0s)
      --wait               Wait until the task is completed, otherwise it will exit immediately. (default true)
```

Permission command

```
yba rbac permission
Manage YugabyteDB Anywhere RBAC permissions

Usage:
  yba rbac permission [flags]
  yba rbac permission [command]

Available Commands:
  describe    Describe a YugabyteDB Anywhere RBAC permission
  list        List YugabyteDB Anywhere permissions

Flags:
  -h, --help   help for permission

Global Flags:
  -a, --apiToken string    YugabyteDB Anywhere api token.
      --config string      Config file, defaults to $HOME/.yba-cli.yaml
      --debug              Use debug mode, same as --logLevel debug.
      --disable-color      Disable colors in output. (default false)
  -H, --host string        YugabyteDB Anywhere Host (default "http://localhost:9000")
  -l, --logLevel string    Select the desired log level format. Allowed values: debug, info, warn, error, fatal. (default "info")
  -o, --output string      Select the desired output format. Allowed values: table, json, pretty. (default "table")
      --timeout duration   Wait command timeout, example: 5m, 1h. (default 168h0m0s)
      --wait               Wait until the task is completed, otherwise it will exit immediately. (default true)

Use "yba rbac permission [command] --help" for more information about a command.
```

List Permission
```
 yba rbac permission list
List YugabyteDB Anywhere permissions

Usage:
  yba rbac permission list [flags]

Aliases:
  list, ls

Examples:
yba rbac permission list

Flags:
  -n, --name string            [Optional] Name of the permission. Quote name if it contains space.
      --resource-type string   [Optional] Resource type of the permission. Allowed values: universe, role, user, other. If not specified, all resource types are returned.
  -h, --help                   help for list

Global Flags:
  -a, --apiToken string    YugabyteDB Anywhere api token.
      --config string      Config file, defaults to $HOME/.yba-cli.yaml
      --debug              Use debug mode, same as --logLevel debug.
      --disable-color      Disable colors in output. (default false)
  -H, --host string        YugabyteDB Anywhere Host (default "http://localhost:9000")
  -l, --logLevel string    Select the desired log level format. Allowed values: debug, info, warn, error, fatal. (default "info")
  -o, --output string      Select the desired output format. Allowed values: table, json, pretty. (default "table")
      --timeout duration   Wait command timeout, example: 5m, 1h. (default 168h0m0s)
      --wait               Wait until the task is completed, otherwise it will exit immediately. (default true)
```

Describe Persmiison
```
yba rbac permission describe -h
Describe a RBAC permission in YugabyteDB Anywhere

Usage:
  yba rbac permission describe [flags]

Aliases:
  describe, get

Examples:
yba rbac permission describe --name <permission-name>

Flags:
  -n, --name string   [Required] Name of the permission. Quote name if it contains space.
  -h, --help          help for describe

Global Flags:
  -a, --apiToken string    YugabyteDB Anywhere api token.
      --config string      Config file, defaults to $HOME/.yba-cli.yaml
      --debug              Use debug mode, same as --logLevel debug.
      --disable-color      Disable colors in output. (default false)
  -H, --host string        YugabyteDB Anywhere Host (default "http://localhost:9000")
  -l, --logLevel string    Select the desired log level format. Allowed values: debug, info, warn, error, fatal. (default "info")
  -o, --output string      Select the desired output format. Allowed values: table, json, pretty. (default "table")
      --timeout duration   Wait command timeout, example: 5m, 1h. (default 168h0m0s)
      --wait               Wait until the task is completed, otherwise it will exit immediately. (default true)
```

Role command
```
yba rbac role
Manage YugabyteDB Anywhere RBAC roles

Usage:
  yba rbac role [flags]
  yba rbac role [command]

Available Commands:
  create      Create YugabyteDB Anywhere RBAC roles
  delete      Delete a YugabyteDB Anywhere role
  describe    Describe a YugabyteDB Anywhere RBAC role
  list        List YugabyteDB Anywhere roles
  update      Update a YugabyteDB Anywhere role

Flags:
  -h, --help   help for role

Global Flags:
  -a, --apiToken string    YugabyteDB Anywhere api token.
      --config string      Config file, defaults to $HOME/.yba-cli.yaml
      --debug              Use debug mode, same as --logLevel debug.
      --disable-color      Disable colors in output. (default false)
  -H, --host string        YugabyteDB Anywhere Host (default "http://localhost:9000")
  -l, --logLevel string    Select the desired log level format. Allowed values: debug, info, warn, error, fatal. (default "info")
  -o, --output string      Select the desired output format. Allowed values: table, json, pretty. (default "table")
      --timeout duration   Wait command timeout, example: 5m, 1h. (default 168h0m0s)
      --wait               Wait until the task is completed, otherwise it will exit immediately. (default true)

```

List Role command
```
yba rbac role list
List YugabyteDB Anywhere roles

Usage:
  yba rbac role list [flags]

Aliases:
  list, ls

Examples:
yba rbac role list

Flags:
  -n, --name string   [Optional] Name of the role. Quote name if it contains space.
      --type string   [Optional] Role type. Allowed values: system, custom. If not specified, all role types are returned.
  -h, --help          help for list

Global Flags:
  -a, --apiToken string    YugabyteDB Anywhere api token.
      --config string      Config file, defaults to $HOME/.yba-cli.yaml
      --debug              Use debug mode, same as --logLevel debug.
      --disable-color      Disable colors in output. (default false)
  -H, --host string        YugabyteDB Anywhere Host (default "http://localhost:9000")
  -l, --logLevel string    Select the desired log level format. Allowed values: debug, info, warn, error, fatal. (default "info")
  -o, --output string      Select the desired output format. Allowed values: table, json, pretty. (default "table")
      --timeout duration   Wait command timeout, example: 5m, 1h. (default 168h0m0s)
      --wait               Wait until the task is completed, otherwise it will exit immediately. (default true)
```

Describe role:
```
 yba rbac role  describe -h
Describe a RBAC role in YugabyteDB Anywhere

Usage:
  yba rbac role describe [flags]

Aliases:
  describe, get

Examples:
yba rbac role describe --name <role-name>

Flags:
  -n, --name string   [Required] Name of the role. Quote name if it contains space.
  -h, --help          help for describe

Global Flags:
  -a, --apiToken string    YugabyteDB Anywhere api token.
      --config string      Config file, defaults to $HOME/.yba-cli.yaml
      --debug              Use debug mode, same as --logLevel debug.
      --disable-color      Disable colors in output. (default false)
  -H, --host string        YugabyteDB Anywhere Host (default "http://localhost:9000")
  -l, --logLevel string    Select the desired log level format. Allowed values: debug, info, warn, error, fatal. (default "info")
  -o, --output string      Select the desired output format. Allowed values: table, json, pretty. (default "table")
      --timeout duration   Wait command timeout, example: 5m, 1h. (default 168h0m0s)
      --wait               Wait until the task is completed, otherwise it will exit immediately. (default true)
```

Delete role
```
 yba rbac role  delete -h
Delete a role in YugabyteDB Anywhere

Usage:
  yba rbac role delete [flags]

Aliases:
  delete, remove, rm

Examples:
yba role delete --name <role-name>

Flags:
  -n, --name string   [Required] The name of the role to be deleted.
  -f, --force         [Optional] Bypass the prompt for non-interactive usage.
  -h, --help          help for delete

Global Flags:
  -a, --apiToken string    YugabyteDB Anywhere api token.
      --config string      Config file, defaults to $HOME/.yba-cli.yaml
      --debug              Use debug mode, same as --logLevel debug.
      --disable-color      Disable colors in output. (default false)
  -H, --host string        YugabyteDB Anywhere Host (default "http://localhost:9000")
  -l, --logLevel string    Select the desired log level format. Allowed values: debug, info, warn, error, fatal. (default "info")
  -o, --output string      Select the desired output format. Allowed values: table, json, pretty. (default "table")
      --timeout duration   Wait command timeout, example: 5m, 1h. (default 168h0m0s)
      --wait               Wait until the task is completed, otherwise it will exit immediately. (default true)

Create role
```
yba rbac role create -h
Create YugabyteDB Anywhere RBAC roles

Usage:
  yba rbac role create [flags]

Aliases:
  create, add

Examples:
yba rbac role create --name <role-name> \
        --permission resource-type=other::action=read \
        --description <description>

Flags:
  -n, --name string              [Required] Name of the role. Quote name if it contains space.
      --description string       [Optional] Description of the role. Quote description if it contains space.
      --permission stringArray   [Required] Permissions associated with the role. Minimum number of required permissions = 1. Provide the following double colon (::) separated fields as key-value pairs: "resource-type=<resource-type>::action=<action>". Both are requires key-values. Allowed resource types are universe, role, user, other. Allowed actions are create, read, update, delete, pause_resume, backup_restore, update_role_bindings, update_profile, super_admin_actions, xcluster. Each permission needs to be added using a separate --permission flag. Example: --permission resource-type=other::action=delete --permission resource-type=universe::action=write
  -h, --help                     help for create

Global Flags:
  -a, --apiToken string    YugabyteDB Anywhere api token.
      --config string      Config file, defaults to $HOME/.yba-cli.yaml
      --debug              Use debug mode, same as --logLevel debug.
      --disable-color      Disable colors in output. (default false)
  -H, --host string        YugabyteDB Anywhere Host (default "http://localhost:9000")
  -l, --logLevel string    Select the desired log level format. Allowed values: debug, info, warn, error, fatal. (default "info")
  -o, --output string      Select the desired output format. Allowed values: table, json, pretty. (default "table")
      --timeout duration   Wait command timeout, example: 5m, 1h. (default 168h0m0s)
      --wait               Wait until the task is completed, otherwise it will exit immediately. (default true)
```

Update role command:
```
yba rbac role update -h
Update a role in YugabyteDB Anywhere

Usage:
  yba rbac role update [flags]

Aliases:
  update, edit

Examples:
yba rbac role update --name <role-name> \
        --add-permission resource-type=other::action=create

Flags:
  -n, --name string                     [Required] Role name to be updated.
      --add-permission stringArray      [Optional] Add permissions to the role. Provide the following double colon (::) separated fields as key-value pairs: "resource-type=<resource-type>::action=<action>". Both are requires key-values. Allowed resource types are: universe, role, user, other. Allowed actions are: create, read, update, delete, pause_resume, backup_restore, update_role_bindings, update_profile, super_admin_actions, xcluster.Quote action if it contains space. Each permission needs to be added using a separate --add-permission flag.
      --remove-permission stringArray   [Optional] Remove permissions from the role. Provide the following double colon (::) separated fields as key-value pairs: "resource-type=<resource-type>::action=<action>". Both are requires key-values. Allowed resource types are: universe, role, user, other. Allowed actions are: create, read, update, delete, pause_resume, backup_restore, update_role_bindings, update_profile, super_admin_actions, xcluster.Quote action if it contains space. Each permission needs to be removed using a separate --remove-permission flag.
  -h, --help                            help for update

Global Flags:
  -a, --apiToken string    YugabyteDB Anywhere api token.
      --config string      Config file, defaults to $HOME/.yba-cli.yaml
      --debug              Use debug mode, same as --logLevel debug.
      --disable-color      Disable colors in output. (default false)
  -H, --host string        YugabyteDB Anywhere Host (default "http://localhost:9000")
  -l, --logLevel string    Select the desired log level format. Allowed values: debug, info, warn, error, fatal. (default "info")
  -o, --output string      Select the desired output format. Allowed values: table, json, pretty. (default "table")
      --timeout duration   Wait command timeout, example: 5m, 1h. (default 168h0m0s)
      --wait               Wait until the task is completed, otherwise it will exit immediately. (default true)
```

Original commit: 59c70430d1ef2016ebb7ec85014f1edfcebe67fe / D40222

Test Plan:
`yba rbac permission list`
```
Name                      Resource Type   Action                 Permission Valid On Resource
Update Role               ROLE            UPDATE                 false
Create Role               ROLE            CREATE                 false
View Role                 ROLE            READ                   false
Delete Role               ROLE            DELETE                 false
Delete User               USER            DELETE                 false
Update Role Bindings      USER            UPDATE_ROLE_BINDINGS   false
Create User               USER            CREATE                 false
Update User Profile       USER            UPDATE_PROFILE         false
View User                 USER            READ                   false
View Universe             UNIVERSE        READ                   true
Manage XCluster           UNIVERSE        XCLUSTER               true
Update Universe           UNIVERSE        UPDATE                 true
Create Universe           UNIVERSE        CREATE                 false
Backup/Restore Universe   UNIVERSE        BACKUP_RESTORE         true
Pause/Resume Universe     UNIVERSE        PAUSE_RESUME           true
Delete Universe           UNIVERSE        DELETE                 true
View Resource             OTHER           READ                   false
Create Resource           OTHER           CREATE                 false
Update Resource           OTHER           UPDATE                 false
Delete Resource           OTHER           DELETE                 false
Super Admin Actions       OTHER           SUPER_ADMIN_ACTIONS    false
```
`yba rbac permission describe --name "View Universe"`
```
General
Name            Resource Type   Action    Permission Valid On Resource
View Universe   UNIVERSE        READ      true

Permission Details
Description
Allows user to view a universe.

Prerequisite Permissions
Permission 1: Details
Action    Resource Type
READ      OTHER
```

`yba rbac role list`
```
Name           UUID                                   Role Type
ReadOnly       a392c6cc-a57d-4a04-acb8-0e1d4d1f1205   System
BackupAdmin    f201e3fc-845a-4b5f-9f84-052b6c24d1a3   System
ConnectOnly    7b10ff16-5ac0-4cfe-b1ee-0a0673a5f86b   System
Admin          1c4f107e-a2a4-4b45-916b-3ea6a936e85e   System
SuperAdmin     5853e7a7-0a89-4472-a354-d473de7c21ae   System
Developer L2   bef2eb73-020a-45f1-a9c2-23a5877714d5   Custom
Software L1    019e26b0-0ee2-476c-bb86-b85c20c26412   Custom
```

`yba rbac role get -n "Developer L2"`
```
General
Name           UUID                                   Role Type
Developer L2   bef2eb73-020a-45f1-a9c2-23a5877714d5   Custom

Role Details
Description
Access to selected universes

Created On                        Updated On
Thu, 08 Feb 2024 03:12:41 +0000   Mon, 05 Aug 2024 05:49:24 +0000

Permissions
Permission 1: Details
Action           Resource Type
BACKUP_RESTORE   UNIVERSE

Permission 2: Details
Action    Resource Type
READ      UNIVERSE

Permission 3: Details
Action         Resource Type
PAUSE_RESUME   UNIVERSE

Permission 4: Details
Action    Resource Type
READ      OTHER

Permission 5: Details
Action    Resource Type
DELETE    UNIVERSE

Permission 6: Details
Action     Resource Type
XCLUSTER   UNIVERSE

Permission 7: Details
Action    Resource Type
UPDATE    UNIVERSE
```

`yba rbac role create -n test-cli --permission resource-type=universe::action=delete --permission resource-type=universe::action=read --permission resource-type=other::action=read`
```
Name       UUID                                   Role Type
test-cli   f323efd8-90ea-4090-9b41-00922866aea0   Custom
```

`yba rbac role update -n test-cli --add-permission resource-type=universe::action=read`
```
Name       UUID                                   Role Type
test-cli   f323efd8-90ea-4090-9b41-00922866aea0   Custom
```

Reviewers: skurapati

Reviewed By: skurapati

Subscribers: yugaware

Differential Revision: https://phorge.dev.yugabyte.com/D40413
Assets 2
Loading