Access Control
Access control is a powerful system for managing user and group access in a single place. Updates are applied near-instantly (within seconds) to destination infrastructure, making it possible to escalate and revoke a user's access on-demand.
Overview
Access is managed via Access Grants. These records determine determine who can access what with which permission or role. Grants tie three components together to enable access:
- A user or group (e.g.
jeff@acme.co
) - A role (e.g.
admin
) - A resource (e.g.
dev-cluster
)
Roles
Infra allows granting different levels of access via roles, such as view
, edit
or admin
. Different infrastructure destinations support different roles. For example, view a list of roles supported by Kubernetes.
Resources
A resource is an infrastructure resource managed by Infra. Examples include:
- A Kubernetes cluster (e.g.
dev-cluster
) - A Kubernetes namespace (e.g.
dev-cluster.kube-system
)
Granting access
To grant access, use infra grants add
. Note: the user you grant access to must already exist. To grant a user the edit
role on a cluster named staging
run:
infra grants add user@example.com staging --role edit
Note: the same command can be used to grant access to a group using the boolean --group
flag:
infra grants add --group engineering staging --role edit
Revoking access
To revoke access, use infra grants remove
:
infra grants remove user@example.com staging --role edit
Inspecting access
infra grants list USER ROLE DESTINATION jeff@infrahq.com edit development michael@infrahq.com view production GROUP ROLE DESTINATION Engineering edit development.monitoring Engineering view production Design edit development.web