Basics of RBAC API v1 in Puppet

Introduction 📃

Hello Ninjas, As a companion on your Puppet learning journey, we are back with another article on Puppet. In this article, we are going to learn about the basics of RBAC API v1 in Puppet. We will learn about four primary endpoints regarding the RBAC API v1.

But before that, let's first understand Puppet and RBAC.

Puppet

Puppet is a software configuration management tool. It has a declarative language to manage the settings. It is a platform to configure the system and software settings. You do not need much knowledge of programming to use Puppet. Puppet Enterprise is built on top of Puppet. It is a lightweight and commercial version of Puppet. To get started with Puppet Enterprise, visit Installing and Configuring Puppet Enterprise.

We will refer to Puppet Enterprise as PE for convenience. Let's now discuss RBAC.

Role-Based Access Control (RBAC)

RBAC is a method for managing network access based on the tasks of specific employees working for the company. RBAC ensures that employees only have access to the data they need to carry out their duties by blocking them from accessing information that is not relevant to them.

Because an employee's rights are decided by their level in the company, lower-level workers are not allowed to use sensitive information or perform high-level tasks.
The role-based access control data model bases roles on several variables. Such as permission, duty, and work skill. Because of this, companies can identify a user as an admin, expert user, or end user. One example of how access to computer resources could be limited to specific tasks is the ability to read, create, or modify files.

RBAC API Requests Creation

Queries made using the correct HTTPS syntax for the RBAC API are allowed. Token-based verification is important for most URLs. You can use allowed certificates or user login tokens to validate requests.
RBAC API requests must have a URI path with the following format.

https://<DNS>:4433/rbac-api/<VERSION>/<ENDPOINT>

The components of the variable route come from:

VERSION: Depending on the endpoint, either v1 or v2.

DNS: The DNS name of your PE console host. You can use a puppet command, localhost, or manually type the DNS name.

ENDPOINT: A section or sections that specify the endpoint, like users or roles. Some APIs, like the POST /command/roles/add-users endpoint, demand extra portions.

Basics of RBAC API v1 in Puppet

RBAC(role-based access control) is a system where we use user roles to assign permissions and user control. The RBAC is used to manage access in Puppet. This article will discuss four primary endpoints regarding the RBAC API v1.

Wait, Ninjas! What is an endpoint?
An endpoint is simply one end of a communication channel. When an API communicates with another system, the points of contact are referred to as endpoints. An endpoint for APIs can include a server or service URL.

Following are the four points to be discussed later in this article.

User Endpoints
User Groups Endpoints
User Roles Endpoints
Permissions Endpoints

Let us get started.

User Endpoints

RBAC(Role-based access control) manages the local and remote users. External directory services create remote users. User endpoints are used to get the list of users, create local users, and revoke, reinstate, and delete users in Puppet Enterprise.

Following are the endpoints and their functions.

GET /users: Used to get a list of all(local and remote) users.
GET /users/<sid>: To get details of a particular user.
GET /users/current: Get details about the current user.
GET /users/<sid>/tokens: To get a list of tokens for a particular user.
POST /users: Create a new local user.
PUT /users/<sid>: Edit an existing user.
DELETE /users/<sid>: Delete a particular user from the PE.
POST /command/users/add-roles: Assign user roles to users.
POST /command/users/remove-roles: Remove user roles from users.
POST /command/users/revoke: Revoke the user’s access to the PE.
POST /command/users/reinstate: Reinstate the user's access to the PE.

You will encounter user endpoint keys in the requests and responses of these user endpoints. We will now discuss the user endpoint RBAC v1 keys.

Keys	Definition	Example
id	A UUID that identifies users.	"4fee7450-54c7-11e4-916c-0800200c9a66"
login	String used to log in to PE. Unique among users and groups.	“admin”
email	An Email address string not being utilized by any code.	“bill@gmail.com”
display_name	The user’s name	“Ryan Bill”
role_ids	An array of role ids to assign user roles to users. Can be empty	[1 4 5]
is_group is_remote is_superuser	Indicates whether a user is a remote user or a superuser. Is_group is always false for users.	true or false
is_revoked	If set to yes, then revokes the user's access to PE until set to true, or the password is reset via a token.	true or false
last_login	A timestamp in YYYY-MM-DDThh:mm:ssZ format indicating the time a user last logged in. If not logged in ever, then it is null.	"2022-05-01T01:12:00Z"
inherited_role_ids	Only for remote users. An array of role ids for user roles inherited by users from their groups.	[2 6]
group_ids `	Only for remote users. An array of UUID indicating the groups a user is inherited from.	["3a96d280-54c9-11e4-916c-0800200c9a66"]

User Group Endpoints

You can use user groups to assign roles to a bunch of users collectively. It is better than assigning user roles to users individually. You can perform various functions on user groups, like getting the list of users, and creating, editing, and deleting user groups.

Note: Group memberships are governed by directory service hierarchy. Hence the local users that only exist in the PE console cannot be part of directory groups.

Following are the RBAC v1 user group endpoints and their functions.

GET /groups: To get a list of all user groups. Authentication is required.
GET /groups/<sid>: Get details about a particular user group.
POST /groups: Create a new remote directory user group.
PUT /groups/<sid>: Edit a particular user group. Edit user roles or memberships associated with the specified user group.
DELETE /groups/<sid>: Delete a specified user group from PE. It does not change the associated directory service.

Let us now discuss user groups endpoints RBAC v1 keys.

Key	Definition	Example
id	A UUID that identifies groups.	"c099d420-5557-11e4-916c-0800200c9a66"
login	String used to log in to PE. Unique among users and groups.	"admins"
display_name	The name of the user group.	"Admins"
role_ids	An array of role ids indicating the user roles assigned to a specific group.	[2 4]
is_group is_remote is_superuser	Indicates that it is a group derived from a directory service and not a super user.	true, true, and false(fixed)
is_revoked	It has no effect since it is a group.	true or false
user_ids	An array of user ids indicating the user members of the group.	["3a96d280-54c9-11e4-916c-0800200c9a66"]

User Roles Endpoints

User roles are a set of permissions. It is better to create a role with a set of permissions and then assign the role to multiple users or groups. A user assigned a role gets all the permissions associated with the role. Permissions are additive. If a user or group has more than one role, then the permissions of all the roles are added to the user or group.

Following are the user role endpoints you can use to manage user roles.

GET /roles: get a list of all user roles.
GET /roles/<rid>: Get details about a specific user role.
POST /roles: create a new user role.
PUT /roles/<rid>: Edit an existing role.
DELETE /roles/<rid>: Delete a user role.
POST /command/roles/add-users: Assign a user role to users.
POST /command/roles/remove-users: Remove a user role from users.
POST /command/roles/add-user-groups: Assign a role to groups.
POST /command/roles/remove-groups: Remove a user role from groups.
POST /command/roles/add-permissions: Add permissions to a user role.
POST /command/roles/remove-permissions: Remove permissions from a user role.

User role endpoints contain keys. You should be familiar with user role endpoint keys to work with user role endpoint. Let us now discuss the RBAC v1 roles endpoint keys.

Keys	Definition	Example
id	An integer to identify a user role.	2
display_name	Name of the role.	"Viewers"
description	String to describe the function of the given user role.	"View-only permissions"
permissions	An array of permission objects indicating the permissions associated with a user role. It can be empty.	[ ]
user_ids group_ids	An array of UUIDs of users and groups that are assigned a particular user role directly. The users that inherit the roles from a group are not listed. Can be empty.	["fc115750-555a-11e4-916c-0800200c9a66"]

Permissions Endpoints

Permissions specify what a user can and cannot do and access in PE. You can add permissions to a user role and then assign the role to users or groups. You can use the permissions endpoint in RBAC v1 to control and manage permissions. You can get details about the objects you want to create permissions for, what kind of permissions can be created and what users can do with the objects.

There are three components of permission.

Type (object_type)
Permission (action)
Object (instance of Type)

Permission is applied to a type of object with a set of actions you can perform. You can also specify if you want to create permission on a particular instance or object of a type.

Let us now discuss the RBAC v1 permissions endpoints.

GET /types: get a list of all the object types, the set of actions that can be performed, and whether object specification is allowed or not.
POST /permitted: To check whether a user or group has a particular permission. It checks whether a user or group can perform an action or not.
GET /permitted/<object-type>/<action>: Get a list of all the instances of a particular object type on which a particular action can be performed.
GET /permitted/<object-type>/<action>/<uuid>: Get a list of all the instances of a particular object type on which a particular action can be performed by a specific user.

Let us now discuss the keys used with RBAC v1 permission endpoints.

Keys	Definition	Example
object_type	A string indicating the type of object on which permission is granted.	"node_groups"
action	A string indicating the permitted action, such as creating, viewing, editing, and deleting.	"modify_children"
actions	An array of actions.	Each JSON Object contains a name, display_name, description, and has_instances.
instance	A string indicating the scope of the permission. You can specify a particular instance of an object type using the to apply the permission to. It can be done by specifying the UUID of the instance. To apply permission to all the instances of an object type, use “”. If the object type does not support the specification, pass “”.	To allow all instances: “*”. For specific instance, the UUID of the instance: "cec7e830-555b-11e4-916c-0800200c9a66"
display_name	The string indicating the object type name as appears in PE console.	"Node Groups"
description	Description of the object type.	"Groups that nodes can be assigned to."
token	UUID of the user or user group in the POST /permitted endpoint.	"cec7e830-555b-11e4-916c-0800200c9a66"

Note: Use system names, not display names, for object_type and actions.

Frequently Asked Questions

What is Puppet?

Puppet is a software configuration management tool. It is a platform to configure the system and software settings. Puppet has its declarative language to manage the settings. You do not need much knowledge of programming to use Puppet.

What are user roles in PE?

The user roles are a set of permissions or privileges. These roles can be assigned to a group of users. The users assigned a role get all the permissions associated with the user role.

What happens if more than one user role is assigned to a user?

Each user role has some permissions associated with them. If more than one user role is assigned to a user, then the user gets the permissions of all the roles.

What are the four endpoints in RBAC API v1 in Puppet?

The four endpoints in the RBAC AP v1 in Puppet are:

User Endpoints
User Groups Endpoints
User Roles Endpoints
Permissions Endpoints

What happens if you delete a user in PE?

When a user role is deleted, the role is revoked from all the assigned users. The assigned users lose the permissions associated with the deleted user role. They can lose access to the PE console if not assigned any other role.