Manage teams (organizations) and users under ClusterControl. Take note that only the first user created with ClusterControl will be able to create the teams. You can have one or more teams and each team consists of zero or more clusters and users. You can have many roles defined under ClusterControl and a user must be assigned with one role.
As a roundup, here is how the different entities relate to each other:
A user belongs to one team and assigned a role. Users created here will be able to log in and see specific cluster(s), depending on their team and the cluster they have been assigned to.
Each role is defined with specific privileges under Access Control. ClusterControl default roles are Super Admin, Admin, and User:
|Super Admin||Able to see all clusters that are registered in the UI. The Super Admin can also create organizations and users. Only the Super Admin can transfer a cluster from one organization to another.|
|Admin||Belongs to a specific organization, and is able to see all clusters registered in that organization.|
|User||Belongs to a specific organization, and is only able to see the cluster(s) that he/she registered.|
To create a custom role, see Access Control.
ClusterControl uses Role-Based Access Control (RBAC) to restrict access to clusters and their respective deployment, management, and monitoring features. This ensures that only authorized user requests are allowed. Access to functionality is fine-grained, allowing access to be defined by an organization or user. ClusterControl uses a permissions framework to define how a user may interact with the management and monitoring functionality after they have been authorized to do so.
You can create a custom role with its own set of access levels. Assign the role to a specific user under the Teams tab.
|Allow||Allow access without modification. Similar to read-only mode.|
|Deny||Deny access. The selected feature will not appear in the UI.|
|Manage||Allow access with modification.|
|Modify||Similar to manage, for certain features that required modification.|
|Overview||Overview tab – ClusterControl → Overview|
|Nodes||Nodes tab – ClusterControl → Nodes|
|Configuration Management||Configuration management page – ClusterControl → Manage → Configurations|
|Query Monitor||Query Monitor tab – ClusterControl → Query Monitor|
|Performance||Performance tab – ClusterControl → Performance|
|Backup||Backup tab – ClusterControl → Backup|
|Manage||Manage tab – ClusterControl → Manage|
|Alarms||Alarms tab – ClusterControl → Alarms|
|Jobs||Jobs tab – ClusterControl → Jobs|
|Settings||Settings tab – ClusterControl → Settings|
|Add Existing Cluster||Add Existing Cluster button and page – ClusterControl → Add Existing Server/Cluster|
|Create Cluster||Create Database Cluster button and page – ClusterControl → Create Database Cluster|
|Add Load Balancer||Add Load Balancer page – ClusterControl → Actions → Add Load Balancer and ClusterControl → Manage → Load Balancer|
|Clone||Clone Cluster page (Galera only) – ClusterControl → Actions → Clone Cluster|
|Access All Clusters||Access all clusters registered under the same organization.|
|Cluster Registrations||Cluster Registrations page – ClusterControl → Settings (top-menu) → Cluster Registrations|
|Cloud Providers||Cloud Providers page – ClusterControl → Settings (top-menu) → Integrations → Cloud Providers|
|Search||Search button and page – ClusterControl → Search|
|Create Database Node||Create Database Node button and page – ClusterControl → Create Database Node|
|Developer Studio||Developer Studio page – ClusterControl → Manage → Developer Studio|
|MySQL User Management||MySQL user management sections – ClusterControl → Settings (top-menu) → MySQL User Management and ClusterControl → Manage → Schema and Users|
|Operational Reports||Operational reports page – ClusterControl → Settings (top-menu) → Operational Reports|
|Integrations||Integrations page – ClusterControl → Settings (top-menu) → Integrations|
|Web SSH||Web-based SSH on every managed node – ClusterControl → Nodes → Node Actions → SSH Console|
|Custom Advisor||Custom Advisors page – ClusterControl → Manage → Custom Advisors|
|SSL Key Management||Key Management page – ClusterControl → Settings (top-menu) → Key Management|
ClusterControl supports Active Directory, FreeIPA, and LDAP authentication. This allows users to log into ClusterControl by using their corporate credentials instead of a separate password. LDAP groups can be mapped onto ClusterControl user groups to apply roles to the entire group. It supports up to the LDAPv3 protocol based on RFC2307.
When authenticating, ClusterControl will first bind to the directory tree server (‘LDAP Host’) using the specified ‘Login DN’ user and password, then it will check if the username you entered exists in the form of uid, cn or sAMAccountName of the ‘User DN’. If it exists, it will then use the username to bind against the LDAP server to check whether it has the configured group as in ‘LDAP Group Name’ in ClusterControl. If it does, ClusterControl will then map the user to the appropriate ClusterControl role and grant access to the UI.
The following flowchart summarizes the workflow:
You can map the LDAP group to the corresponding ClusterControl role created under Access Control tab. This would ensure that ClusterControl authorizes the logged-in user based on the role assigned.
Once the LDAP settings are verified, login into ClusterControl by using the LDAP credentials (uid, cn or sAMAccountName with respective password). The user will be authenticated and redirected to the ClusterControl dashboard page based on the assigned role. From this point, both ClusterControl and LDAP authentications would work.
For example on how to setup OpenLDAP authentication with ClusterControl, please refer to this blog post, How to Setup Centralized Authentication of ClusterControl Users with LDAP.
If LDAP authentication is enabled, you would need to map ClusterControl roles with their respective LDAP groups. You can configure this by clicking on the ‘+’ icon to add an LDAP group:
|Team||The organization that you want the LDAP group to be assigned to.||Admin|
|LDAP Group Name||The distinguished name of the LDAP group, relative to the Group DN||cn=Database Administrator,ou=group|
|Role||User role in ClusterControl. See Teams.||Super Admin|
|Enable LDAP Authentication||
ClusterControl is able to bind to a FreeIPA server and perform lookups on the compatible schema. Once the DN for that user is retrieved, it tries to bind using the full DN (in the standard tree) with the entered password to verify the LDAP group of that user.
Thus, for FreeIPA, the user’s and group’s DN should use compatible schema,
cn=compat replacing the default
cn=accounts in ClusterControl LDAP Settings except for the ‘Login DN’, as shown in the following screenshot:
For example on integrating ClusterControl with FreeIPA and Windows Active Directory, please refer to this blog post, Integrating ClusterControl with FreeIPA and Windows Active Directory for Authentication.
Manage database clusters inside ClusterControl.