Permissions
StackState Self-hosted v4.6.x
This page describes StackState version 4.6.
Permissions in StackState allow Administrators to manage the actions that each user or user group can perform inside StackState and the information that will be shown in their StackState UI. Only the feature set relevant to each user's active role will be presented. The actions, information and pages that a user does not have access to are simply not displayed in their StackState UI.
Permissions are stored in StackGraph. This means that:
- If you perform an upgrade with "clear all data", permission setup will also be removed.
- To completely remove a user, they must also be manually removed from StackGraph.
There are two types of permission in StackState:
- System permissions - Scope user capabilities, such as access to settings, query execution and scripting.
StackState comes with four predefined roles:
- Administrators (
stackstate-admin
): Have access to all views and have all permissions, except for the platform management permissionaccess-admin-api
. - Platform Administrators (
stackstate-platform-admin
): Have platform management permissions and have access to all views. - Power Users (
stackstate-power-user
): This role is typically granted to users that need to configure StackState for their team(s), but will not manage the entire StackState installation. Power users have all Administrator permissions except for:execute-restricted-scripts
update-permissions
upload-stackpacks
- Guests (
stackstate-guest
): Have read access, as you can see below when we use the StackState CLI to show granted permissions for the role:$ sts permission show stackstate-guestsubject permission resource---------------- ------------------------- ----------stackstate-guest access-cli systemstackstate-guest access-explore systemstackstate-guest perform-custom-query systemstackstate-guest read-permissions systemstackstate-guest update-visualization systemstackstate-guest manage-star-view systemstackstate-guest execute-component-actions systemstackstate-guest access-view everything
The default pre-defined role names (
stackstate-admin
, stackstate-platform-admin
, stackstate-power-user
, stackstate-guest
) are always available. Additional custom role names can be added that have the same permissions. Below is an example of how to do this for both Kubernetes and Linux installations.Kubernetes
Linux
Include this YAML snippet in an
authentication.yaml
when customizing the authentication configuration to extend the default role names with these custom role names.stackstate:
authentication:
roles:
guest: ["custom-guest-role"]
powerUser: ["custom-power-user-role"]
admin: ["custom-admin-role"]
platformAdmin: ["custom-platform-admin-role"]
To use it in for your StackState installation (or already running instance, note that it will restart the API):
helm upgrade \
--install \
--namespace stackstate \
--values values.yaml \
--values authentication.yaml \
stackstate \
stackstate/stackstate
To extend the default role names with custom role names:
- 1.Edit the existing keys in the
authorization
section of the configuration fileapplication_stackstate.conf
. - 2.Add custom roles using the syntax
xxxGroups = ${stackstate.authorization.xxxGroups} ["custom-role"]
as shown in the example below.authorization {guestGroups = ${stackstate.authorization.guestGroups} ["custom-guest-role"]powerUserGroups = ${stackstate.authorization.powerUserGroups} ["custom-power-user-role"]adminGroups = ${stackstate.authorization.adminGroups} ["custom-admin-role"]platformAdminGroups = ${stackstate.authorization.platformAdminGroups} ["custom-platform-admin-role"]} - 3.Restart StackState for changes to take effect.The list of roles will be extended to include the new, custom roles. The default roles will remain available (stackstate-admin, stackstate-platform-admin, stackstate-guest and stackstate-power-user).
There are two types of permission in StackState:
- System permissions - Scope user capabilities, such as access to settings, query execution and scripting.
System permissions scope user capabilities, such as access to settings, query execution and scripting. They are set system wide.
Permission | Purpose | Guest | Power user | Admin | Platform Admin |
---|---|---|---|---|---|
access-cli | Access the CLI page. This provides the API key to use for authentication with the StackState CLI. | ✅ | ✅ | ✅ | ✅ |
access-explore | Access the Explore page. | ✅ | ✅ | ✅ | - |
execute-component-actions | Execute component actions. | ✅ | ✅ | ✅ | - |
manage-star-view | Add and remove stars from views. | ✅ | ✅ | ✅ | ✅ |
perform-custom-query | Access the topology filter. | ✅ | ✅ | ✅ | - |
read-permissions | List all granted permissions across the entire system via the CLI. | ✅ |