diff --git a/content/influxdb/cloud-dedicated/admin/tokens/management/_index.md b/content/influxdb/cloud-dedicated/admin/tokens/management/_index.md index be24443b1..8c8c79b3c 100644 --- a/content/influxdb/cloud-dedicated/admin/tokens/management/_index.md +++ b/content/influxdb/cloud-dedicated/admin/tokens/management/_index.md @@ -11,6 +11,8 @@ menu: name: Management tokens weight: 101 influxdb/cloud-dedicated/tags: [tokens] +related: + - /influxdb/cloud-dedicated/reference/internals/security/ --- Management tokens grant permission to perform administrative actions such as @@ -21,24 +23,27 @@ managing users, databases, and database tokens in your Management tokens do _not_ grant permissions to write or query time series data in your {{< product-name omit=" Clustered">}} cluster. -To grant write or query permissions, use management tokens to create [database tokens](/influxdb/cloud-dedicated/admin/tokens/database/). +To grant write or query permissions, use management tokens to create +[database tokens](/influxdb/cloud-dedicated/admin/tokens/database/). {{% /note %}} -By default, management tokens are short-lived tokens issued by an OAuth2 identity -provider that grant a specific user administrative access to your -{{< product-name omit=" Clustered">}} cluster. +By default, management tokens are short-lived tokens issued by your identity +provider for a [specific client session](/influxdb/cloud-dedicated/reference/internals/security/#management-tokens-in-the-influxctl-cli) (for example, `influxctl`). + However, for automation purposes, you can manually create management tokens that authenticate directly with your InfluxDB Cluster and do not require human interaction with your identity provider. +_Manually created management tokens provide full access to all account resources +and aren't affected by [user groups](/influxdb/cloud-dedicated/reference/internals/security/#user-groups)_. {{% warn %}} #### For automation use cases only -The tools outlined below are meant for automation use cases and should not be -used to circumvent your identity provider. **Take great care when manually creating -and using management tokens**. +The tools outlined below are meant for automation use cases and shouldn't be +used to circumvent your identity provider or user group permissions. +**Take great care when manually creating and using management tokens**. -{{< product-name >}} requires at least one user associated with your cluster +{{< product-name >}} requires at least one [Admin user](/influxdb/cloud-dedicated/reference/internals/security/#admin-user-group) associated with your cluster and authorized through your OAuth2 identity provider to manually create a management token. {{% /warn %}} diff --git a/content/influxdb/cloud-dedicated/admin/users/_index.md b/content/influxdb/cloud-dedicated/admin/users/_index.md new file mode 100644 index 000000000..43e9d3778 --- /dev/null +++ b/content/influxdb/cloud-dedicated/admin/users/_index.md @@ -0,0 +1,92 @@ +--- +title: Manage users +seotitle: Manage users and permissions in InfluxDB Cloud Dedicated +description: > + Manage users and access to resources in your InfluxDB Cloud Dedicated cluster. + Assign user groups for role-based access control and security. +menu: + influxdb_cloud_dedicated: + parent: Administer InfluxDB Cloud +weight: 101 +influxdb/cloud-dedicated/tags: [user groups] +related: + - /influxdb/cloud-dedicated/reference/internals/security/ + - /influxdb/cloud-dedicated/admin/tokens/ +--- + +Manage users and access to resources in your {{% product-name %}} cluster. + +By assigning users to different groups based on the level of access they need, +you can minimize unnecessary access and reduce the risk of inadvertent +actions. +User groups associate access privileges with user attributes--an important part of the +Attribute-Based Access Control (ABAC) security model which grants access based on +user attributes, resource types, and environment context. + +- [Available user groups](#available-user-groups) +- [Manage users](#manage-users) + +## Available user groups + +In {{% product-name %}}, users have "management" responsibilities, such as creating and +deleting [databases](/influxdb/cloud-dedicated/admin/databases/), [viewing resource information](/influxdb/cloud-dedicated/admin/monitor-your-cluster/), and provisioning +[database tokens](/influxdb/cloud-dedicated/admin/tokens/database/) for reading and writing data. + +A user can belong to the following groups, each with predefined privileges: + +- **Admin**: Read and write permissions on all resources. +- **Member**: Read permission on certain resources and create permission for + database tokens; members can't delete or create databases or management tokens. +- **Auditor**: Read permission on all resources; auditors can't modify resources. + +{{% note %}} +#### Existing users are Admin by default + +With the release of user groups for {{% product-name %}}, all existing users +in your account are initially assigned to the Admin group, retaining full +access to resources in your cluster. +{{% /note %}} + +## Manage users + +- [Assign a user to a different group](#assign-a-user-to-a-different-group) +- [Invite a user to your account](#invite-a-user-to-your-account) + +### Assign a user to a different group + +To assign existing users in your account to different +groups, [contact InfluxData support](https://support.influxdata.com/s/login/) +and provide the list of users and the desired [user groups](#available-user-groups) +for each. + +### Invite a user to your account + +For new users that you want to add to your account, the InfluxData Support Team +configures invitations with the attributes and groups that you specify. + +1. [Contact InfluxData support](https://support.influxdata.com/s/login/) + to invite a user to your account. + In your request, provide the user details, including email address, desired + [user groups](#available-user-groups), and other attributes for the user. +2. InfluxData support creates the user account and emails the user an invitation + that includes following: + + - A login URL to authenticate access to the cluster + - The {{% product-name %}} **account ID** + - The {{% product-name %}} **cluster ID** + - The {{% product-name %}} **cluster URL** + - A password reset email for setting the login password + +3. The user accepts the invitation to your account + +With a valid password, the user can access cluster resources by interacting with the +[`influxctl`](/influxdb/cloud-dedicated/reference/influxctl/) command line tool. +The assigned user groups determine the user's access to resources. + +{{% note %}} +#### Use database tokens to authorize data reads and writes + +In {{% product-name %}}, user groups control access for managing cluster resources. +[Database tokens](/influxdb/cloud-dedicated/admin/tokens/database/) control access +for reading and writing data in cluster databases. +{{% /note %}} diff --git a/content/influxdb/cloud-dedicated/reference/cli/influxctl/user/delete.md b/content/influxdb/cloud-dedicated/reference/cli/influxctl/user/delete.md index e148e0a01..ba0a71e28 100644 --- a/content/influxdb/cloud-dedicated/reference/cli/influxctl/user/delete.md +++ b/content/influxdb/cloud-dedicated/reference/cli/influxctl/user/delete.md @@ -9,6 +9,13 @@ weight: 301 draft: true --- +{{% warn %}} +#### InfluxData internal use only + +This command is for InfluxData internal use only and won't work when run by +a user account. +{{% /warn %}} + The `influxctl user delete` command deletes a user from your {{< product-name >}} account. diff --git a/content/influxdb/cloud-dedicated/reference/cli/influxctl/user/invite.md b/content/influxdb/cloud-dedicated/reference/cli/influxctl/user/invite.md index 61ae750a3..d3a84f2ec 100644 --- a/content/influxdb/cloud-dedicated/reference/cli/influxctl/user/invite.md +++ b/content/influxdb/cloud-dedicated/reference/cli/influxctl/user/invite.md @@ -1,7 +1,7 @@ --- title: influxctl user invite description: > - The `influxctl user invite` command invites a user to your InfluxDB Cloud Dedicated + The `influxctl user invite` command invites a user to an InfluxDB Cloud Dedicated account. menu: influxdb_cloud_dedicated: @@ -10,7 +10,14 @@ weight: 301 draft: true --- -The `influxctl user invite` command invites a user to your {{< product-name >}} +{{% warn %}} +#### InfluxData internal use only + +This command is for InfluxData internal use only and won't work when run by +a user account. +{{% /warn %}} + +The `influxctl user invite` command invites a user to an {{< product-name >}} account. ## Usage diff --git a/content/influxdb/cloud-dedicated/reference/internals/security.md b/content/influxdb/cloud-dedicated/reference/internals/security.md index 915c486c4..6a74cdaa6 100644 --- a/content/influxdb/cloud-dedicated/reference/internals/security.md +++ b/content/influxdb/cloud-dedicated/reference/internals/security.md @@ -8,6 +8,9 @@ menu: name: Security parent: InfluxDB internals influxdb/cloud-dedicated/tags: [security, internals] +related: + - /influxdb/cloud-dedicated/admin/tokens + - /influxdb/cloud-dedicated/admin/users --- InfluxData's information security program is based on industry-recognized standards and frameworks, @@ -233,21 +236,25 @@ Users can configure the following security controls: ### Access, authentication, and authorization -{{< product-name >}} uses [Auth0](https://auth0.com/) for authentication and -separates workload cluster management authorizations (using _management tokens_) +{{< product-name >}} separates workload cluster management authorizations +(using _management tokens_) from database read and write authorizations (using _database tokens_). - [User provisioning](#user-provisioning) +- [User groups](#user-groups) - [Management tokens](#management-tokens) - [Database tokens](#database-tokens) #### User provisioning -InfluxData uses [Auth0](https://auth0.com/) to create user accounts and assign -permission sets to user accounts on {{% product-name %}}. -After a user account is created, InfluxData provides the user with the following: +InfluxData follows security best practices for creating user accounts +and managing permissions to resources. -- An **Auth0 login** to authenticate access to the cluster +InfluxData Support creates user accounts with [user group](#user-groups) permissions +for access to {{% product-name omit="Clustered" %}} cluster resources. +After creating the user account, InfluxData provides the user with the following: + +- A login URL for authenticating access to the cluster - The {{% product-name %}} **account ID** - The {{% product-name %}} **cluster ID** - The {{% product-name %}} **cluster URL** @@ -255,15 +262,46 @@ After a user account is created, InfluxData provides the user with the following With a valid password, the user can login by invoking one of the [`influxctl` commands](/influxdb/cloud-dedicated/reference/influxctl/). -The command initiates an Auth0 browser login so that the password is never +The command initiates a browser login between the identity provider and the user +so that the password is never exchanged with `influxctl`. -After a successful Auth0 authentication, {{% product-name %}} provides the +After a successful authentication, {{% product-name %}} provides the user's `influxctl` session with a short-lived [management token](#management-tokens) for access to the Granite service. -The user interacts with the `influxctl` command line tool to manage the workload -cluster, including creating [database tokens](#database-tokens) for database -read and write access and [creating long-lived management tokens](/influxdb/cloud-dedicated/admin/management-tokens/) -for use with the [Management API](/influxdb/cloud-dedicated/api/management/). +The user interacts with the `influxctl` command line tool to view or manage +cluster resources. +The [user groups](#user-groups) assigned to the user determine the level of +access to resources. + +#### User groups + +User groups associate access privileges with user attributes--an important part of the +Attribute-Based Access Control (ABAC) security model, which grants access based on +user attributes, resource types, and environment context. + +In {{% product-name %}}, a user can belong to any of the following user groups, +each with predefined privileges: + +- [Admin user group](#admin-user-group) +- [Member user group](#member-user-group) +- [Auditor user group](#auditor-user-group) + +##### Admin user group + +Admins are {{% product-name %}} users who have read and write permissions on +all resources (for all clusters) in the account. +Only Admins can create [management tokens](#management-tokens). + +##### Member user group + +Members are {{% product-name %}} users who have read permission on certain +resources and create permission for [database tokens](#database-tokens). +Members can't delete or create databases or management tokens. + +##### Auditor user group + +Auditors are {{% product-name %}} users who have read permission on all resources +(for all clusters) in the account; auditors can't modify account resources. #### Management tokens @@ -279,11 +317,24 @@ Management tokens consist of the following: - An access token string (sensitive) - A permission set for management activities (configured during user provisioning) -- A mandatory 1 hour expiration for tokens generated by logging in to `influxctl` +- For tokens generated by logging in to `influxctl`, a mandatory 1 hour expiration +In {{% product-name %}}, management tokens may be created by +the account's identity provider +for user authentication in clients, such as `influxctl`, or they may be manually +created by [Admin](#admins-role-admin) +users for automation using the Management API. + +- [Management tokens in the `influxctl` CLI](#management-tokens-in-influxctl-cli) +- [Management tokens and the Management API](#management-tokens-and-the-management-api) + +##### Management tokens in influxctl CLI + +In {{% product-name %}}, the account's identity provider creates management tokens +for user authentication in tools such as `influxctl`. When a user issues a command using the `influxctl` command-line tool, `influxctl` sends the management token string with the request to the server, -where Granite validates the token (for example, using Auth0). +where Granite validates the token. If the management token is valid and not expired, the service then compares the token's permissions against the permissions needed to complete the user's request. @@ -300,13 +351,17 @@ For example, a user's Linux system would store the management token at ##### Management tokens and the Management API -A user associated with the cluster and authorized through OAuth may use -`influxctl` to -[manually create and revoke management tokens](/influxdb/cloud-dedicated/admin/tokens/management/) -for automation use -cases--for example, using the [Management API for -{{% product-name %}}](/influxdb/cloud-dedicated/api/management/) to rotate -database tokens or create tables. +For automation use cases, [Admins](#admin-group) can +[manually create and revoke long-lived management tokens](/influxdb/cloud-dedicated/admin/tokens/management/) +for use with the [Management API](/influxdb/cloud-dedicated/api/management/)--for +example, to rotate database tokens or create tables. + +Manually created management tokens: + +- aren't affected by [user group](#user-groups) permissions +- have an optional expiration and don't require human interaction with the OAuth provider +- are for automation use cases +- shouldn't be used to circumvent the OAuth provider To authenticate a Management API request, the user passes the manually created token in the HTTP `Authorization` header: @@ -315,17 +370,15 @@ token in the HTTP `Authorization` header: Authorization MANAGEMENT_TOKEN ``` -A manually created management token has an optional expiration and -doesn't require human interaction with the OAuth provider. - -Manually created management tokens are meant for automation use cases -and shouldn't be used to circumvent the OAuth provider. - #### Database tokens -Database tokens provide authorization for users and client applications to read and write data and metadata in an {{% product-name %}} database. +[Admins](#admin-group) and [Members](#member-group), can create +[database tokens](#database-tokens) for database read and write access. +Database tokens provide authorization for users and client applications to read +and write data and metadata in an {{% product-name %}} database. All data write and query API requests require a valid database token with sufficient permissions. -_**Note:** an all-access management token can't read or write to a database because it's not a database token._ +_**Note:** an all-access [management token](#management-tokens) can't read or +write to a database because it's not a database token._ Database tokens consist of the following: