Description of workspace permissions¶
The workspace has permission mapping and resource isolation capabilities, and can map the permissions of users/groups in the workspace to the resources under it. If the user/group has the Workspace Admin role in the workspace and the resource Namespace is bound to the workspace-resource group, the user/group will become Namespace Admin after mapping.
Note
The permission mapping capability of the workspace will not be applied to shared resources, because sharing is to share the cluster usage permissions to multiple workspaces, rather than assigning management permissions to the workspaces, so permission inheritance and role mapping will not be implemented.
Use cases¶
Resource isolation is achieved by binding resources to different workspaces. Therefore, resources can be flexibly allocated to each workspace (tenant) with the help of permission mapping, resource isolation, and resource sharing capabilities.
Generally applicable to the following two use cases:
-
Cluster one-to-one
Ordinary Cluster Department/Tenant (Workspace) Purpose Cluster 01 A Administration and Usage Cluster 02 B Administration and Usage -
Cluster one-to-many
Cluster Department/Tenant (Workspace) Resource Quota Cluster 01 A 100 core CPU B 50-core CPU
Permission description¶
Action Objects | Operations | Workspace Admin | Workspace Editor | Workspace Viewer |
---|---|---|---|---|
itself | view | ✓ | ✓ | ✓ |
- | Authorization | ✓ | ✗ | ✗ |
- | Modify Alias | ✓ | ✓ | ✗ |
Resource Group | View | ✓ | ✓ | ✓ |
- | resource binding | ✓ | ✗ | ✗ |
- | unbind | ✓ | ✗ | ✗ |
Shared Resources | View | ✓ | ✓ | ✓ |
- | Add Share | ✓ | ✗ | ✗ |
- | Unshare | ✓ | ✗ | ✗ |
- | Resource Quota | ✓ | ✗ | ✗ |
- | Using Shared Resources 1 | ✓ | ✗ | ✗ |
-
Authorized users can go to modules such as workbench, microservice engine, middleware, multicloud orchestration, and service mesh to use resources in the workspace. For the operation scope of the roles of Workspace Admin, Workspace Editor, and Workspace Viewer in each module, please refer to the permission description: