You've just created a Red Hat Customer Portal account to provision a Red Hat OpenShift cluster. If you're new to Red Hat Customer Portal, then you probably have a lot of questions, like what other Red Hat portals do you have access to? How do you manage your registered clusters? What exactly is an Organization Administrator? Are there other team members who need privileged access? In this blog, we address all of these questions, and more, to help you navigate the Red Hat Customer Portal and its role-based access control (RBAC) system, and how it all connects to the Red Hat Hybrid Cloud Console (HCC) and OpenShift Cluster Manager (OCM).
Customer Portal
Your Red Hat Customer Portal account is a critical connection point to important information about your organization's subscriptions, products, and support. It's also the overarching account to other Red Hat portals such as Developer Hub, Hybrid Cloud Console, and more.
Organization Administrator
A Red Hat Organization Administrator, also known as an org admin, is the root user of the Red Hat Customer Portal. It has all possible permissions and is the only role that can manage users and their respective access to the organization's Red Hat account. By default, every org admin is also the admin for other portals, such as the Hybrid Cloud Console. An org admin can create and manage users one at a time, several at a time, or through bulk uploads, and can assign any roles to any user. For additional information on managing users, read common user management questions.
Once a user is added to the Customer Portal, it exists on any Red Hat hosted website that uses Red Hat single sign-on authentication. A Customer Portal login ID can be configured for two-factor authentication as well as a third party identity provider. This configuration applies to any Red Hat website that uses Red Hat single sign-on authentication (sso.redhat.com), including the Customer Portal at access.redhat.com and the Hybrid Cloud Console (console.redhat.com). You can also integrate your application with the Customer Portal using APIs. To determine the feasibility of integrating your specific third party identity provider, you will need to reach out to your Red Hat account team.
It is crucial to ensure that each user is granted the minimum required roles complying with the best practice of least privileged access. For example, an OpenShift cluster site reliability engineer who needs to create support cases would require the Manage Support Cases role, and a team lead may need the Manage Your Subscriptions role to manage subscriptions, but neither requires the permissions of the Organization Administrator role.
As a best practice of applying least privileges, the org admin role must be used with discretion, restricted to a few people in the organization at most. Aside from org admin, there are several roles and permissions that can be assigned to Customer Portal accounts. Have transparent conversations with stakeholders within your organization about designating org admins and other roles to each user.
Hybrid Cloud Console
The Red Hat Hybrid Cloud Console (HCC) is utilized to access a comprehensive set of services from a single interface. The HCC contains two default groups maintained by Red Hat with predefined roles:
- Default admin access group: All Red Hat Portal Organization Administrators are added to this group by default. Users and roles are not customizable.
- Default access group: This group contains all authenticated users in your organization. It can be modified by adding or removing roles. Upon modification, the group is automatically renamed to Custom default access and is no longer maintained by Red Hat. You can restore the default access group after a custom group has been created.
To reduce administrative complexity, it's recommended that you create additional custom groups with any combination of roles. This allows users to be added or removed from the groups while keeping role permissions intact, allowing for better RBAC management compared to modifying an individual user's role. A list of predefined roles which are not modifiable can be viewed here.
User access roles are additive. There are no roles that deny access, only roles that allow. For more information, read these additional learning resources, which include step-by-step instructions and documentation on user access configuration.
User Access administrator
The User Access administrator is a special role that only an org admin can assign to a group within HCC. It allows a user to perform actions such as adding, modifying, or deleting groups and roles. The User Access administrator role cannot create or modify a User Access administrator group.
It may be worthwhile to consider assigning the User Access administrator role to production cluster admin team leads to ensure there is no unintended access to production environments.
Service accounts can be used to programmatically interact with the Hybrid Cloud Console API, and can be created and managed by org admins or User Access administrators. Similar to user accounts, service accounts can be assigned to user groups to grant them specific roles and permissions as necessary.
Openshift Cluster Manager
The OpenShift Cluster Manager (OCM) is a service managed by Red Hat that allows you to operate and upgrade Red Hat OpenShift clusters. The HCC also provides an RBAC interface to assign roles such as OCM Cluster Provisioner, which allows a user with that role to create and manage clusters in OCM. It may be sufficient for some team members to have only the OCM Cluster Viewer role instead of additional OCM roles that would allow them to modify clusters.
Roles specific to OCM provide precise access to clusters. These roles are managed through HCC, and it's recommended to create custom groups to manage these roles. For additional information on managing clusters in OCM, read the official documentation.
Tying it all together
Now that we've provided an overview of RBAC for the various Red Hat portals, we have a recommendation on how to administer your organization's RBAC policies.
The most common question is who should be an org admin. This is easy to get wrong! In some companies, leadership or sales teams involved in managing subscriptions are assigned org admin. However, these are permissions inherited from Customer Portal, so there may be unintended consequences because org admins are also added to the default admin access group in the HCC. An org admin can manage all OpenShift clusters, create or delete clusters, and give themselves permission to log into existing clusters as any user (including as a user with the cluster-admin role).
When managing systems through Hybrid Cloud Console, it's crucial to determine the minimum and specific users that require all the permissions an org admin inherits.
In the event that the only org admin leaves the company, this knowledge base article provides guidance on how to recover from this scenario and assign a new org admin.
We've provided an overview of RBAC for the Red Hat Customer Portal and Hybrid Cloud Console and highlighted the implications of these inherited permissions. Understanding best practices around RBAC for your organization, and specifically the role of an org admin, and applying the principle of least privileges, allows your organization to effectively administer its Red Hat accounts.
저자 소개
Kevin Chung is a Principal Architect focused on assisting enterprise customers in design, implementation and knowledge transfer through a hands-on approach to accelerate adoption of their managed OpenShift container platform.
Ava Shulman is an OpenShift Infrastructure Consultant. She is also a co-author of “The OpenShift Security Guide”. Since joining Red Hat in 2018 she has been specializing in optimizing OpenShift environments and tailoring solutions to meet unique customer needs. She brings extensive experience across cloud platforms like AWS, GCP, and Azure, along with a passion for security, always striving to implement best practices in every engagement.
유사한 검색 결과
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.