How it works
There are five entities in Parseable Access Control model -
User. Below section explains each of these entities in detail.
Actions and Privileges
Each API corresponds to an Action internally and Privilege is a group of allowed actions. Actions and Privileges are predefined within a Parseable server instance. Current Privileges are
Reader. Below is the list of actions allowed for each Privilege.
- Admin: All Actions.
- Editor: Ingest, Query, CreateStream, ListStream, GetSchema, GetStats, GetRetention, PutRetention, PutAlert, GetAlert.
- Writer: Ingest, Query, ListStream, GetSchema, GetStats, GetRetention, PutAlert, GetAlert.
- Reader: Query, ListStream, GetSchema, GetStats, GetRetention, GetAlert.
- Ingest: Ingest.
Log streams are Resources. Each Resource has a unique name. For example, a log stream with name
my_stream is a Resource.
Creating A Role
To assign roles to user you first have to create them, use the Create Role API
API request body requires the role definition in json format. Below section explains how to create a role definition for different privileges.
Admin privilege allows access to all actions in global scope. Above role json implies that the user will be able to call all API across all resources.
Editor role has global scope. A user with the above role json, will be able to call all the Editor specific API across all resources.
Writer privilege is resource specific. A user with above role json, will be able to call the Writer specific API only on the specified resource. In the above example, the user will be able to call Writer specific API on
frontend log streams only.
"tag": "source=web" // optional field
Reader privilege is resource specific. A user with above role json, will be able to call the Reader specific API only on the specified resources. In the above example, the user will be able to call Reader specific API on
frontend log stream, and only on events with tag
Creating User And Assigning Roles
For managing roles for your oauth users refer to OIDC section. Roles are automatically assigned by matching the role name with group name that is obtained to groups claim in the id token.
To create a
User, use the Create User API. After a successful API call, you'll get the user's password in the response. Keep it in a safe place as this is the only time you'll get the password.
- Passwords are hashed and stored in Parseable metadata file. Parseable does not store the password in plain text.
- By default, a user doesn't have any role assigned to it. So, it won't be able to perform any action.
- Create User API takes in an optional body which can be used to set role like given in the role section. Refer the example here.
In any case if you need to reset password for a user. This can be easily done through Reset Password API.
To delete a user, use the Delete User API. This API will delete the user and all the roles assigned to it.