Turbot Role Permissions

Permissions in Turbot are designed to be consistent, convenient, secure and flexible. For all services, each role follows the same general guidelines:

  • Owner - Manage users and permissions and read metadata and configurations.
  • SuperUser - All changes and management of other SuperUsers.
  • Admin - High to medium risk changes; and
  • Operator - Medium to low risk changes; and
  • ReadOnly - Read data; and
  • Metadata - Read metadata and configurations; and
  • User - Basic access, no rights.

For all roles except Owner and SuperUser, each role inherits permissions from the previous roles, e.g., Admin inerhits Operator, ReadOnly, Metadata, and User permissions.

Owner inherits Metadata permissions while SuperUser is a special level and is separate from other inheritance.

Graphically, the above can be seen as following:

mceclip0.png

Turbot Permissions

Turbot permissions control what users are able to do through the Turbot console and API:

  • Turbot/Owner - Manage Turbot cluster users and user grants (add, delete, activate, deactivate,  users), Turbot, AWS, and SSH access keys, and reset users’ passwords.  In short - Change Privileges.
  • Turbot/Admin - Manage Turbot cluster and account option settings, custom EC2 Ansible playbooks, and networks, including VPC security groups and VPCs.  In short - Change Policies and Configurations.
  • Turbot/Operator - Create and update Turbot accounts and tasks.  In short - Change Metadata.
  • Turbot/Metadata - Read Turbot cluster and account configurations.  In short - Read Metadata.
  • Turbot/User - Can log into the console, no initial permissions.

AWS Permissions

AWS permissions are specific to the service they are granting permissions for while following the general guidelines listed above. For instance, AWS/EC2/Admin allows users to launch and terminate instances (high risk changes) while AWS/EC2/Operator allows users to stop and start instances (medium risk changes). All service roles are rolled into the high level AWS role. For example, AWS/Admin contains AWS/EC2/Admin, AWS/S3/Admin, etc. The different, high level AWS permission grants are outlined below:

  • AWS/Owner - Allows user to manage permissions in AWS, e.g., management of AWS Service Roles and their custom IAM permissions.
  • AWS/SuperUser - Allows full access permissions to the service with no preventative controls.
  • AWS/Admin - Allows high to medium risk changes, e.g., creating and deleting resources, policy management.
  • AWS/Operator - Allows medium to low risk changes, e.g., stopping and starting resources, tag management, snapshot management.
  • AWS/ReadOnly - Allows read access to data, e.g., S3 key contents.
  • AWS/Metadata - Allows user to log in as Metadata role into the AWS account. Metadata role has read access to configurations and metadata, e.g., describe instance configurations.

Example: Linux Permissions

Linux permissions apply to users created in EC2 Linux instances managed by Turbot (launched with the turbot SSH key):

  • Linux/SuperUser - Full sudo permissions.
  • Linux/Admin - Full sudo permissions.
  • Linux/Operator - Can reboot, halt, and power off instance.
  • Linux/User - Can log in to Linux instance, no additional permissions.

Example: Database Permissions

Database permissions apply to users created in RDS databases and Redshift clusters:

  • DB/Owner - Grant permissions.
  • DB/SuperUser - Run DDL commands.
  • DB/Admin - Run DDL commands.
  • DB/Operator - Insert, Update, and Delete data.
  • DB/ReadOnly - Select data.
  • DB/Metadata - View data structures, but no access to read data.
Was this article helpful?
0 out of 0 found this helpful