2. Home
  4. Docs
  6. ClusterControl
  8. User Guide (GUI)
  10. Sidebar
  12. User Management

User Management

Teams

Manage teams (organizations) and users under ClusterControl. Take note that only the first user created with ClusterControl will be able to create the teams. You can have one or more teams and each team consists of zero or more clusters and users. You can have many roles defined under ClusterControl and a user must be assigned with one role.

As a roundup, here is how the different entities relate to each other:


Note

ClusterControl creates Admin team by default.

Users

A user belongs to one team and assigned a role. Users created here will be able to log in and see specific cluster(s), depending on their team and the cluster they have been assigned to.

Each role is defined with specific privileges under Access Control. ClusterControl default roles are Super Admin, Admin, and User:

Role Description
Super Admin Able to see all clusters that are registered in the UI. The Super Admin can also create organizations and users. Only the Super Admin can transfer a cluster from one organization to another.
Admin Belongs to a specific organization, and is able to see all clusters registered in that organization.
User Belongs to a specific organization, and is only able to see the cluster(s) that he/she registered.

To create a custom role, see Access Control.

Access Control

ClusterControl uses Role-Based Access Control (RBAC) to restrict access to clusters and their respective deployment, management, and monitoring features. This ensures that only authorized user requests are allowed. Access to functionality is fine-grained, allowing access to be defined by an organization or user. ClusterControl uses a permissions framework to define how a user may interact with the management and monitoring functionality after they have been authorized to do so.

You can create a custom role with its own set of access levels. Assign the role to a specific user under the Teams tab.

Note

The Super Admin role is not listed since it is a default role and has the highest level of privileges in ClusterControl.

Privileges

Privilege Description
Allow Allow access without modification. Similar to read-only mode.
Deny Deny access. The selected feature will not appear in the UI.
Manage Allow access with modification.
Modify Similar to manage, for certain features that required modification.

Features Description

Feature Description
Overview Overview tab – ClusterControl → Overview
Nodes Nodes tab – ClusterControl → Nodes
Configuration Management Configuration management page – ClusterControl → Manage → Configurations
Query Monitor Query Monitor tab – ClusterControl → Query Monitor
Performance Performance tab – ClusterControl → Performance
Backup Backup tab – ClusterControl → Backup
Manage Manage tab – ClusterControl → Manage
Alarms Alarms tab – ClusterControl → Alarms
Jobs Jobs tab – ClusterControl → Jobs
Settings Settings tab – ClusterControl → Settings
Add Existing Cluster Add Existing Cluster button and page – ClusterControl → Add Existing Server/Cluster
Create Cluster Create Database Cluster button and page – ClusterControl → Create Database Cluster
Add Load Balancer Add Load Balancer page – ClusterControl → Actions → Add Load Balancer and ClusterControl → Manage → Load Balancer
Clone Clone Cluster page (Galera only) – ClusterControl → Actions → Clone Cluster
Access All Clusters Access all clusters registered under the same organization.
Cluster Registrations Cluster Registrations page – ClusterControl → Settings (top-menu) → Cluster Registrations
Cloud Providers Cloud Providers page – ClusterControl → Settings (top-menu) → Integrations → Cloud Providers
Search Search button and page – ClusterControl → Search
Create Database Node Create Database Node button and page – ClusterControl → Create Database Node
Developer Studio Developer Studio page – ClusterControl → Manage → Developer Studio
MySQL User Management MySQL user management sections – ClusterControl → Settings (top-menu) → MySQL User Management and ClusterControl → Manage → Schema and Users
Operational Reports Operational reports page – ClusterControl → Settings (top-menu) → Operational Reports
Integrations Integrations page – ClusterControl → Settings (top-menu) → Integrations
Web SSH Web-based SSH on every managed node – ClusterControl → Nodes → Node Actions → SSH Console
Custom Advisor Custom Advisors page – ClusterControl → Manage → Custom Advisors
SSL Key Management Key Management page – ClusterControl → Settings (top-menu) → Key Management

LDAP Settings

ClusterControl supports Active Directory, FreeIPA, and LDAP authentication. This allows users to log into ClusterControl by using their corporate credentials instead of a separate password. LDAP groups can be mapped onto ClusterControl user groups to apply roles to the entire group. It supports up to the LDAPv3 protocol based on RFC2307.

When authenticating, ClusterControl will first bind to the directory tree server (‘LDAP Host’) using the specified ‘Login DN’ user and password, then it will check if the username you entered exists in the form of uid, cn or sAMAccountName of the ‘User DN’. If it exists, it will then use the username to bind against the LDAP server to check whether it has the configured group as in ‘LDAP Group Name’ in ClusterControl. If it does, ClusterControl will then map the user to the appropriate ClusterControl role and grant access to the UI.

The following flowchart summarizes the workflow:

You can map the LDAP group to the corresponding ClusterControl role created under Access Control tab. This would ensure that ClusterControl authorizes the logged-in user based on the role assigned.

Once the LDAP settings are verified, login into ClusterControl by using the LDAP credentials (uid, cn or sAMAccountName with respective password). The user will be authenticated and redirected to the ClusterControl dashboard page based on the assigned role. From this point, both ClusterControl and LDAP authentications would work.

Attention

For Active Directory, ensure you configure the exact distinguished name (with proper capitalization) since the LDAP interchange format (LDIF) fields are returned in capital letters.

For example on how to setup OpenLDAP authentication with ClusterControl, please refer to this blog post, How to Setup Centralized Authentication of ClusterControl Users with LDAP.

LDAP Group

If LDAP authentication is enabled, you would need to map ClusterControl roles with their respective LDAP groups. You can configure this by clicking on the ‘+’ icon to add an LDAP group:

Field Description Example
Team The organization that you want the LDAP group to be assigned to. Admin
LDAP Group Name The distinguished name of the LDAP group, relative to the Group DN cn=Database Administrator,ou=group
Role User role in ClusterControl. See Teams. Super Admin

Settings

Field Description
Enable LDAP Authentication
  • Choose whether to enable or disable LDAP authentication.
LDAP Host
  • The LDAP server hostname or IP address. To use LDAP over SSL/TLS, specify LDAP URI instead, for example ldaps://LDAP_host.
LDAP Port
  • Default is 389 and 636 for LDAP over SSL. Make sure to allow connections from the ClusterControl host for both TCP and UDP protocol.
Base DN
  • The root LDAP node under which all other nodes exist in the directory structure.
Login DN
  • The distinguished name used to bind to the LDAP server. This is often the administrator or manager user. It can also be a dedicated login with minimal access that should be able to return the DN of the authenticating users. ClusterControl must do an LDAP search using this DN before any user can log in. This field is case-sensitive.
Password
  • The password for the binding user specified in Login DN.
User DN
  • The user’s relative distinguished name (RDN) used to bind to the LDAP server. For example, if the LDAP user DN is CN=userA,OU=People,DC=ldap,DC=domain,DC=com, specify OU=People,DC=ldap,DC=domain,DC=com. This field is case-sensitive.
Group DN
  • The group’s relative distinguished name (RDN) used to bind to the LDAP server. For example, if the LDAP group DN is CN=DBA,OU=Group,DC=ldap,DC=domain,DC=com, specify OU=Group,DC=ldap,DC=domain,DC=com. This field is case-sensitive.
Attention

ClusterControl does not support binding against a nested directory group. Ensure each LDAP user that authenticates to ClusterControl has a direct membership to the LDAP group.

FreeIPA

ClusterControl is able to bind to a FreeIPA server and perform lookups on the compatible schema. Once the DN for that user is retrieved, it tries to bind using the full DN (in the standard tree) with the entered password to verify the LDAP group of that user.

Thus, for FreeIPA, the user’s and group’s DN should use compatible schema, cn=compat replacing the default cn=accounts in ClusterControl LDAP Settings except for the ‘Login DN’, as shown in the following screenshot:

For example on integrating ClusterControl with FreeIPA and Windows Active Directory, please refer to this blog post, Integrating ClusterControl with FreeIPA and Windows Active Directory for Authentication.

Clusters

Manage database clusters inside ClusterControl.

Field Description
Delete
  • Unregister the selected database cluster from the ClusterControl UI. This action will NOT delete the actual database cluster.
Change Team
  • Change the selected database cluster to another organization created under Teams.
Was this article helpful to you? Yes No