We are approaching 100 entires in our existing auth.conf files. Once we're on v8.2 how many times am I going to need to put those users into RBAC on our Masters ? Can I just do it once, export the config, and import it onto each of our other 20+ Masters ?
I know AD or LDAP groups would be much easier but our Linux Masters aren't hooked into either so that's not an option for us.
Solved! Go to Solution.
This is a good idea - export from auth.conf into RBAC - that we’ve discussed before (internally). The problem is that there is no 1:1 mapping of permissions from auth.conf to RBAC roles. Do all 100 entries have different permissions or are there some roles that could be defined that we could use to “group” users in RBAC?
There's maybe only a dozen different "groups" of permissions between all the users right now in auth.conf. Most of them would continue to have access to view all Clients but with RBAC depending on how granular things get I could see adding in some customer end-users with access to view their specific stuff (how a particular client is protected & its backup jobs for example) too.
All of the users would still have to be assigned to those RBAC groups of course, but I'd be thrilled if I only had to do that on a single Master, export the RBAC users and groups, then import them everywhere else to cover most things.
And as long as I'm asking, I'd like that export file to be user-readable text of course, because our Auditors will want to look at it to verify everything is appropriate at some point.
Bonus points if I can literally use the same config on multiple Masters regardless of whether or not it actually exists. For example, if userA has access to view the protection plans for all Acme DB2 clients on MasterA, but there aren't any on MasterB, when they login to MasterB they see an empty listing because their access doesn't return any Plan matches. I'd much rather have this be the case versus me getting an error attempting to import a non-applicable RBAC configuration into MasterB.
I'd love to work with whomever on making this happen, provide example auth.conf entries, whatever helps. As more stuff is added into the web GUI it's going to get more and more attractive to cut ourselves over but I can't do that until I can give everyone semi-equivalent access - and 100 users * 20ish Masters = a LOT of work if I can't do a bulk method. Not to mention having to keep each Master's entries updated with additions/removals after that first load.