diff --git a/06-osm-platform-configuration.md b/06-osm-platform-configuration.md index 69968be1f21a1286aab4070b2b30d16b1ff02893..0dc426a49182148e192b6eb5c3d42a068c14835c 100644 --- a/06-osm-platform-configuration.md +++ b/06-osm-platform-configuration.md @@ -1,6 +1,6 @@ # OSM platform configuration -## Role-based Access Control (RBAC) +## Explanation about OSM Role-based Access Control (RBAC) Role-Based Access Control (RBAC) is available in OSM to bring different users and projects a controlled access to resources. Authorization is granted if a user has the necessary role to perform an action. For achieving this, two backends are available: @@ -25,7 +25,9 @@ By default, OSM starts with the following users, projects and roles pre-created: The configuration can be extended to cover more users, projects and role combinations, following the next sections. -## User management +## OSM User Management + +### Explanation about OSM User Management Users can be managed through the UI, by selecting Admin --> Users on the menu to the left, or using the OSM CLI: @@ -52,6 +54,10 @@ Usage: osm user-update [OPTIONS] USERNAME REMOVE_PROJECT: deleting mappings for project/role(s) ADD_PROJECT_ROLE: adding mappings for project/role(s) REMOVE_PROJECT_ROLE: removing mappings for project/role(s) + CURRENT_PASSWORD: user current password to change + NEW_PASSWORD: user new password to update in expiry condition + UNLOCK: unlock user + RENEW: renew user Options: --password TEXT user password @@ -60,10 +66,86 @@ Options: --remove-project TEXT removes project from user: 'project' --add-project-role TEXT adds project,role(s) mapping: 'project,role1,role2,...' --remove-project-role TEXT removes project,role(s) mapping: 'project,role1,role2,...' + --current_password TEXT user current password + --new_password TEXT user new password to update in expiry condition + --unlock unlock user + --renew renew user -h, --help Show this message and exit. ``` -## Project management +### How to enable user management enhancements to enforce password best practices + +If a user logins into OSM for the first time or a user account is not accessed after several days, you might want OSM to request the user to change its password. + +By default, user management enhancements to enforce password best practices is enabled in OSM. It includes the following best practices: + +- Password expires after 30 days, and it will have to be renewed. +- Account expires after 90 days after the user is created, and it will have to be renewed by a system admin. +- The number of consecutive failed login attempts in OSM is 5. After that, if a user fails to login, the account will be locked. + +If you want to enable/disable this behaviour, just set environment variable `OSMNBI_USER_MANAGEMENT` as `True` or `False` in the nbi configmap file using the following command: + +```bash +kubectl -n osm edit configmap nbi +``` + +```yaml +OSMNBI_USER_MANAGEMENT: True|False +``` + +![OSM RBAC Options](assets/800px-OSM_User_Management.png) + +### How to check that user management enhancements are applied + +Ensure RBAC permissions for the user include rbac: `users:id:patch` permission. + +``` +osm user-show +osm role-show +# The role should include the permission "users:id:patch" set to true +``` + +### How to manage user password updates and user locks + +- To change the default password or expired password of a user, execute the following command through CLI. + + ```bash + osm --user --password user-update --current_password --new_password + ``` + + Example: + + ```bash + osm --user test_user --password Test@123 user-update test_user --current_password Test@123 --new_password New@1234 + ``` + +- If the user account is locked after exceeding the count of multiple tries, execute the following command to unlock the user through CLI + + ```bash + osm user-update --unlock + ``` + + Example: + ```bash + osm user-update test_user --unlock + ``` + +- If the user account is expired, execute the following command to renew the user account through CLI + + ```bash + osm user-update --renew + ``` + Example: + ```bash + osm user-update test_user --renew + ``` + +**Important note:** + +- User Management check is excluded for the default "admin" user +- Only a user with system_admin role persmission will have the privilege to perform unlock and renew actions + +## OSM Project management Projects can be managed through the UI, by selecting Admin --> Projects on the menu to the left, or using the OSM CLI: @@ -833,4 +915,4 @@ To associate the K8s cluster with a Distributed VCA, follow these steps: 2. Associate the VCA with a VIM account. For more details, see [this](#associate-a-vca-with-a-vim-account) section. 3. Register your K8s cluster associating it to the VIM account added in step 2. For more details, see [this](#management-of-k8s-clusters) section. - Note: if you are not using an actual VIM, in the step 2, set the VIM account type to `dummy` with the following flag: `--account_type dummy`. \ No newline at end of file + Note: if you are not using an actual VIM, in the step 2, set the VIM account type to `dummy` with the following flag: `--account_type dummy`. diff --git a/12-osm-nbi.md b/12-osm-nbi.md index 42fb216bcbc3dee8a202ec8d63b652eebfaf865e..1dd708eeacec6ec9cb23b13cacdd3132fb36cb3e 100644 --- a/12-osm-nbi.md +++ b/12-osm-nbi.md @@ -263,6 +263,9 @@ Header field name Reference Example Descriptions - Add role R1, projects P1: `'{add_project_role_mappings: [{project: role: R1}, ...]}'` - Remove role R1, project P1 from user: `{remove_project_role_mappings: [{project: P1, role: R1}]}'` - Remove a project 'P1' (all roles) from user: `{remove_project_role_mappings: [{project: P1}]}'` + - Enforce password change on first login or password expiry: `'{old_password: , password: }'` + - Unlock user: `'{system_admin_id: , unlock: true}'` + - Renew user: `'{system_admin_id: , renew: true}'` - DELETE: Removes user. diff --git a/assets/800px-OSM_User_Management.png b/assets/800px-OSM_User_Management.png new file mode 100644 index 0000000000000000000000000000000000000000..04c3fb97233963f486f53e4354e8886d771127c0 Binary files /dev/null and b/assets/800px-OSM_User_Management.png differ