Open CRCinAU opened 5 years ago
mjuraga
commented
5 years ago Hi, we are looking for a way to add various ACLs for users, but we are limited with no database, only resource we have is the config file, and we are currently using userlist section to manage users. We were thinking on adding two groups to start: read-only and admin, but we are still looking for ways to manage this. Let's keep the discussion alive here to get to best possible solutions.
CRCinAU
commented
5 years ago As a small stepping stone, maybe a simple ACL along the lines of: bind, frontend, backend, servers, acl
Each element listed against a user could restrict to only configuring those elements - ie
This would give basic flexibility to allow deployments to add backends, but not change SSL certs or frontend configuration.
My specific scenario is that a user could add / remove servers from existing backends - but not modify the backends themselves. This allows either a higher priv user to create a backend (or done manually with a reload) and then automated deployments can populate backends with servers.
mjuraga
commented
5 years ago We would need to have those groups hardcoded in userlists, this seems like a nice idea, but I would keep it simple, and make them as HAProxy configuration sections only (so backend, frontend, default, global, etc...)
CRCinAU
commented
5 years ago I'm kinda ok with that - as it would stop the problem of deployment scripts (or people who find those details) from altering parts of the haproxy config that you wouldn't really want them to. That's the whole idea.
titansmc
commented
4 years ago Has there been any update on this?
This is a feature request.
It would be nice if we are able to restrict the permissions of users to be able to configure certain elements within haproxy via the API.
For instance, user 'deployment' could add servers to various backends (specified by backend name), but not be allowed to modify other backends or frontend configurations.
This allows for environments that have multiple resources to use specific username / password combinations to affect each projects haproxy configuration resource without allowing complete control over haproxy.