Access Control

Manage broad user permissions for configuration, administration, Resource metric viewing, and Action execution.

Access Control handles all user permissions within your Shoreline environment. Access Control allows you to:

Authentication and Authorization

Shoreline Access Control handles user-specific permissions. However, it's first essential to understand how Shoreline handles initial user authentication.

Shoreline uses Okta for all identity management and user authentication. Whether using the CLI or UI, all users are routed through Okta to prove their identity and receive a valid JSON Web Token (JWT). This JWT verifies the user's identity with the Shoreline cluster to which the user is connecting.

To authorize via the CLI use the auth command.

op>
auth <cluster_url>

The CLI will automatically open your browser to the cluster, and then you're redirected to Okta to authenticate.

The generated token (ops-token.yaml) is automatically downloaded and identified by the CLI. If the CLI is unable to locate the downloaded token you have two options:

  • Manually move the ops-token.yaml file to the watched directory
  • Or, manually paste the JWT string with the auth import function

auth import imports an cluster API URL + JSON Web Token (JWT) combination into your local .ops_auth file.

op>
auth import https://acme.us.api.shoreline-acme.io sjTnbGciOiJSUzI1
Adding Auth... Url: https://acme.us.api.shoreline-acme.io, Token: sjTnbGciOiJSUzI1
Saving config to '/home/gabe/.ops_auth.yaml'

After your .ops_auth is updated you're automatically authenticated and the CLI can be used.

See Op/auth for more details.

Automated User Generation

The Shoreline cluster automatically generated a user account with default Access Control permissions as part of the initial Okta authentication process.

Prerequisites

The Shoreline UI currently handles all Access Control:

Create a user

  • Click the Add user button at the top-right

  • Enter the user identity that matches their Okta identity and make any necessary changes to user permissions

    new-user-entry
  • Click the confirmation to save or the cancel to abort

Delete a user

  • Click the delete button under Actions
  • Enter the user's ID in the confirmation box
  • Click Delete user to confirm, or Cancel to abort

Metric view limit

The Metric view limit sets the maximum number of Resource metrics a user can see in real-time mode, generated by a single operation.

For example, assume you've created a user with a Metric view limit of 5, and you have an environment with three host Resources:

op>
host | count
 RESOURCE_COUNT
 3

The disk_used Metric query retrieves the disk usage of all three hosts.

op>
host | disk_used
 ID | TYPE | NAME                | REGION    | AZ         | TIMESTAMPS          | DISK_USED
 1  | HOST | i-0ec6db699504723a5 | us-west-2 | us-west-2c | 2021/06/10 10:21:40 |     82.03
    |      |                     |           |            | 2021/06/10 10:21:41 |     82.03
    |      |                     |           |            | 2021/06/10 10:21:42 |     82.03
    |      |                     |           |            | 2021/06/10 10:21:43 |     82.03
    |      |                     |           |            | 2021/06/10 10:21:44 |     82.03
 2  | HOST | i-0671bb33ac1362a45 | us-west-2 | us-west-2b | 2021/06/10 10:21:40 |     84.30
    |      |                     |           |            | 2021/06/10 10:21:41 |     84.30
    |      |                     |           |            | 2021/06/10 10:21:42 |     84.30
    |      |                     |           |            | 2021/06/10 10:21:43 |     84.30
    |      |                     |           |            | 2021/06/10 10:21:44 |     84.30
 3  | HOST | i-00ecaf3247e215b3b | us-west-2 | us-west-2a | 2021/06/10 10:21:40 |     84.30
    |      |                     |           |            | 2021/06/10 10:21:41 |     84.30
    |      |                     |           |            | 2021/06/10 10:21:42 |     84.30
    |      |                     |           |            | 2021/06/10 10:21:43 |     84.30
    |      |                     |           |            | 2021/06/10 10:21:44 |     84.30

Like many Metrics, disk_used executes a real-time metric query on every unique Resource object returned in the preceding result set. Therefore, querying all three hosts means the user has not exceeded their Metric view limit of 5.

Edit the Metric view limit

  • Click in the View column cell for the user

    metric-view-edit
  • Enter a new value of 2

  • Click the confirmation to save

In the CLI the Metric view limit restricts the total number of Resources able to return metric query data within a single command.

Now try executing the same host | disk_used query as above:

op>
host | disk_used
Error: View limit of 2 exceeded: found 3 unique agents executing a metric query in plan.

As the error explains, the total number of unique Resources returning metric data exceeds the user's View metric limit of 2, so the query fails.

Action execution limit

The Action execution limit determines the number of Resources that can be affected by a given Action.

For example, consider an environment with three host Resources and an Action execution limit of 10. Let's use the CLI to create an Action that snapshots the current processes with the ps command:

op>
action get_processes = `ps`
Created action 'get_processes'.

Executing the get_processes Action against all three host Resources returns the expected data.

op>
host | get_processes
 ID | TYPE | NAME                | REGION    | AZ         | STATUS | STDOUT
 1  | HOST | i-0ec6db699504723a5 | us-west-2 | us-west-2c |   0    |   PID TTY          TIME CMD
    |      |                     |           |            |        |  2747 ?        00:00:00 sshd
    |      |                     |           |            |        |  2748 ?        00:00:00 bash
    |      |                     |           |            |        |  2752 ?        00:00:00 timeout
    |      |                     |           |            |        |  2753 ?        00:00:00 bash
    |      |                     |           |            |        |  2754 ?        00:00:00 ps
    |      |                     |           |            |        |
 2  | HOST | i-0671bb33ac1362a45 | us-west-2 | us-west-2b |   0    |   PID TTY          TIME CMD
    |      |                     |           |            |        |   434 ?        00:00:00 sshd
    |      |                     |           |            |        |   435 ?        00:00:00 bash
    |      |                     |           |            |        |   439 ?        00:00:00 timeout
    |      |                     |           |            |        |   440 ?        00:00:00 bash
    |      |                     |           |            |        |   441 ?        00:00:00 ps
    |      |                     |           |            |        |
 3  | HOST | i-00ecaf3247e215b3b | us-west-2 | us-west-2a |   0    |   PID TTY          TIME CMD
    |      |                     |           |            |        |   825 ?        00:00:00 sshd
    |      |                     |           |            |        |   826 ?        00:00:00 bash
    |      |                     |           |            |        |   830 ?        00:00:00 timeout
    |      |                     |           |            |        |   831 ?        00:00:00 bash
    |      |                     |           |            |        |   832 ?        00:00:00 ps

Since this Action is only executing against three Resources, which is well below the current limit of 10, everything works fine.

Edit the Action execution limit

  • Click in the Execute actions column cell for the user

    metric-execute-actions-edit
  • Enter a new value of 2

  • Click the confirmation to save

  • Execute the previous host | get_processes statement:

    op>
    host | get_processes
    Error: Action limit of 2 exceeded: found 3 unique resources executing a named action.

    The user's Action execution limit of 2 restricts this operation since it attempts to invoke an Action that affects three host Resources.

Linux command execution limit

You can execute Linux commands against the returned Resource results of most preceding statements within Op. Internally, such inline Linux commands are called unnamed Actions.

For example, consider the get_processes Action created in Action execution limit above:

op>
host | get_processes
 ID | TYPE | NAME                | REGION    | AZ         | STATUS | STDOUT
 1  | HOST | i-0ec6db699504723a5 | us-west-2 | us-west-2c |   0    |   PID TTY          TIME CMD
    |      |                     |           |            |        |  2747 ?        00:00:00 sshd
    |      |                     |           |            |        |  2748 ?        00:00:00 bash
    |      |                     |           |            |        |  2752 ?        00:00:00 timeout
    |      |                     |           |            |        |  2753 ?        00:00:00 bash
    |      |                     |           |            |        |  2754 ?        00:00:00 ps
    |      |                     |           |            |        |
 2  | HOST | i-0671bb33ac1362a45 | us-west-2 | us-west-2b |   0    |   PID TTY          TIME CMD
    |      |                     |           |            |        |   434 ?        00:00:00 sshd
    |      |                     |           |            |        |   435 ?        00:00:00 bash
    |      |                     |           |            |        |   439 ?        00:00:00 timeout
    |      |                     |           |            |        |   440 ?        00:00:00 bash
    |      |                     |           |            |        |   441 ?        00:00:00 ps
    |      |                     |           |            |        |
 3  | HOST | i-00ecaf3247e215b3b | us-west-2 | us-west-2a |   0    |   PID TTY          TIME CMD
    |      |                     |           |            |        |   825 ?        00:00:00 sshd
    |      |                     |           |            |        |   826 ?        00:00:00 bash
    |      |                     |           |            |        |   830 ?        00:00:00 timeout
    |      |                     |           |            |        |   831 ?        00:00:00 bash
    |      |                     |           |            |        |   832 ?        00:00:00 ps

In this context, get_processes is a named Action that executes the ps Linux command. Therefore, the above can be rewritten in Op as:

op>
host | `ps`
 ID | TYPE | NAME                | REGION    | AZ         | STATUS | STDOUT
 1  | HOST | i-0ec6db699504723a5 | us-west-2 | us-west-2c |   0    |   PID TTY          TIME CMD
    |      |                     |           |            |        |  6844 ?        00:00:00 sshd
    |      |                     |           |            |        |  6845 ?        00:00:00 bash
    |      |                     |           |            |        |  6849 ?        00:00:00 timeout
    |      |                     |           |            |        |  6850 ?        00:00:00 bash
    |      |                     |           |            |        |  6851 ?        00:00:00 ps
    |      |                     |           |            |        |
 2  | HOST | i-0671bb33ac1362a45 | us-west-2 | us-west-2b |   0    |   PID TTY          TIME CMD
    |      |                     |           |            |        |  4422 ?        00:00:00 sshd
    |      |                     |           |            |        |  4423 ?        00:00:00 bash
    |      |                     |           |            |        |  4427 ?        00:00:00 timeout
    |      |                     |           |            |        |  4428 ?        00:00:00 bash
    |      |                     |           |            |        |  4429 ?        00:00:00 ps
    |      |                     |           |            |        |
 3  | HOST | i-00ecaf3247e215b3b | us-west-2 | us-west-2a |   0    |   PID TTY          TIME CMD
    |      |                     |           |            |        |  4838 ?        00:00:00 sshd
    |      |                     |           |            |        |  4839 ?        00:00:00 bash
    |      |                     |           |            |        |  4843 ?        00:00:00 timeout
    |      |                     |           |            |        |  4844 ?        00:00:00 bash
    |      |                     |           |            |        |  4845 ?        00:00:00 ps
    |      |                     |           |            |        |

With this in mind, the Linux command execution limit behaves much like the Action execution limit: It restricts the number of unique Resources that are queryable by an unnamed Action, i.e., a Linux command.

Edit the Linux command execution limit

  • Click in the Execute Linux cmds column cell for the user

    metric-execute-linux-commands-edit
  • Enter a new value of 2

  • Click the confirmation to save

  • Execute the previous statement using the ps Linux command:

    op>
    host | `ps`
    Error: Execute limit of 2 exceeded: found 3 unique resources executing an unnamed action.

    The user's Linux command execution limit of 2 restricts this operation since it attempts to invoke an unnamed Action that affects three host Resources.

Roles

Administer role

The Administer role allows a user to:

Configure role

The Configure role grants the user the ability to configure the core Shoreline objects. Specifically, a user with the Configure role can create, read, update, and delete all Actions, Alarms, and Bots.

These role permissions extend to both the CLI and the UI.

Toggle the Configure role

  • Click a user's Configure column toggle switch to enable (Yes) or disable (No) the Configure role

If the Configure role is disabled, then all Resource write commands against Actions, Alarms, and Bots fail.

op>
action new_action = `ps`
Error: Configure permission not granted, but found a create/update/delete function call: define_action
op>
delete get_processes
Error: Configure permission not granted, but found a create/update/delete function call: delete_action

Default permissions

The top row of the Access Control UI displays the New user defaults. These determine all default Access Control values when creating new users.

To alter any default settings:

  • Click in the appropriate data cell
  • Enter a new value or toggle the suitable switch
  • Click the confirmation to save

Temporarily Remove Permission Limits

You can temporarily remove access control limitations by granting yourself Full Administrator access.

  1. Click the Remove all limits button at the top-right
  2. Enter the Full Administrator password
  3. Click the Ok button to proceed or the Cancel button to cancel

Full Administrator

Anytime you attempt to access parts of the UI that extend beyond your Access Control permissions you'll receive an "Access Denied" error popup:
full-administrator-password-entry
You may enter the Full Administrator password in this dialog to enable Full Administrator access. The Full Administrator role grants you admin privileges by temporarily overriding your standard Access Control permissions.

Change the Full Administrator password

  • Click the Change no limit password button at the top-right

    change-password-dialog
  • Enter the current password

  • Enter and confirm the new password

  • Click the Change password button to confirm or the Cancel button to abort