Denise
b0a52bb544
* Cluster Templates docs * Say to pass private registry as env variable in air gap install * Add chart compatibility info to Catalog docs * Edit node pool docs Add 'the' Move 'how it works' info to bottom of node pools doc Move 'how it works' info to bottom of node pools doc Add steps for disabling node auto-replace Hide 'How does node auto-replace work' in dropdown Add hyphen Only include Rancher UI steps for enable/disable node auto-replace Only include Rancher UI steps for enable/disable node auto-replace Change wording around node auto-replace * Add note about session length setting * Update _index.md * quiet option added so output doesn't contain non-image output from RKE in the rancher-images.txt file. * updating to list-version * Windows docs usability (#1712) * Update supported Windows server version * Edit docs on Windows clusters * Edit docs on Windows clusters * Edit Windows node docs * Minor edits to Windows docs * Edit node pool docs Add 'the' Move 'how it works' info to bottom of node pools doc Move 'how it works' info to bottom of node pools doc Add steps for disabling node auto-replace Hide 'How does node auto-replace work' in dropdown Add hyphen Only include Rancher UI steps for enable/disable node auto-replace Only include Rancher UI steps for enable/disable node auto-replace Change wording around node auto-replace * Update _index.md * Edit Windows cluster docs * Edit Windows cluster docs for usability * Update supported Windows server version * Edit docs on Windows clusters * Edit Windows node docs * Minor edits to Windows docs * Edit Windows cluster docs * Edit Windows cluster docs for usability * Minor edits to Windows docs * Clarify that custom clusters are provisioned with RKE (#1734) * Clarify that custom clusters are RKE provisioned * Clarify that custom clusters are RKE provisioned * Minor edits to Windows/custom cluster docs * Edit cluster template docs (#1660) * Cluster Templates docs * Mention template clusters in cluster provisioning section * Edit cluster template docs * Clarify Owner access type for cluster templates * Mention template clusters in cluster provisioning section * Edit cluster template docs * Clarify Owner access type for cluster templates * Revise cluster template docs * Revise cluster template docs * Mention template clusters in cluster provisioning section * Edit cluster template docs * Clarify Owner access type for cluster templates * Revise cluster template docs * Revise cluster template docs * Cluster Templates docs * Mention template clusters in cluster provisioning section * Mention template clusters in cluster provisioning section * Edit cluster template docs * Edit cluster template docs * Add note about session length setting * Revise cluster template docs * quiet option added so output doesn't contain non-image output from RKE in the rancher-images.txt file. * updating to list-version * Windows docs usability (#1712) * Update supported Windows server version * Edit docs on Windows clusters * Edit docs on Windows clusters * Edit Windows node docs * Minor edits to Windows docs * Edit node pool docs Add 'the' Move 'how it works' info to bottom of node pools doc Move 'how it works' info to bottom of node pools doc Add steps for disabling node auto-replace Hide 'How does node auto-replace work' in dropdown Add hyphen Only include Rancher UI steps for enable/disable node auto-replace Only include Rancher UI steps for enable/disable node auto-replace Change wording around node auto-replace * Update _index.md * Edit Windows cluster docs * Edit Windows cluster docs for usability * Update supported Windows server version * Edit docs on Windows clusters * Edit Windows node docs * Minor edits to Windows docs * Edit Windows cluster docs * Edit Windows cluster docs for usability * Minor edits to Windows docs * Update template docs per UI and permissions changes * Revise template docs * Address feedback on RKE template docs * Fix name of directive in RKE template YAML * Change env variable to match code from github issue resolution * Add information for cert-manager Problem: cert-manager is old and will be cut off soon Solution: Update docs to include current install instructions and instructions on how to upgrade cert-manager to the current version * Revamp cert-manager docs - Condense air gap and normal upgrade instructions for cert-manager down to a single page. This allowed us to consolidate some repetetive text. - Add a section explaining cert-manager's API change and the recommended data migration - Moved the upgrade instructions out of the cluster administration section and into the Advanced installation options (not perfect but our best fit) - On the pages where we instruct the user to install cert-manger, made a note and link to our upgrade documentation * Respond to feedback on RKE template docs (#1757) * Respond to feedback on RKE template docs * Respond to feedback on RKE template docs * Minor edits to RKE template docs * Change env variable to match code from github issue resolution * Add information for cert-manager Problem: cert-manager is old and will be cut off soon Solution: Update docs to include current install instructions and instructions on how to upgrade cert-manager to the current version * Add information for cert-manager Problem: cert-manager is old and will be cut off soon Solution: Update docs to include current install instructions and instructions on how to upgrade cert-manager to the current version * Revamp cert-manager docs - Condense air gap and normal upgrade instructions for cert-manager down to a single page. This allowed us to consolidate some repetetive text. - Add a section explaining cert-manager's API change and the recommended data migration - Moved the upgrade instructions out of the cluster administration section and into the Advanced installation options (not perfect but our best fit) - On the pages where we instruct the user to install cert-manger, made a note and link to our upgrade documentation * Revamp cert-manager docs - Condense air gap and normal upgrade instructions for cert-manager down to a single page. This allowed us to consolidate some repetetive text. - Add a section explaining cert-manager's API change and the recommended data migration - Moved the upgrade instructions out of the cluster administration section and into the Advanced installation options (not perfect but our best fit) - On the pages where we instruct the user to install cert-manger, made a note and link to our upgrade documentation * Windows docs usability (#1712) * Update supported Windows server version * Edit docs on Windows clusters * Edit docs on Windows clusters * Edit Windows node docs * Minor edits to Windows docs * Edit node pool docs Add 'the' Move 'how it works' info to bottom of node pools doc Move 'how it works' info to bottom of node pools doc Add steps for disabling node auto-replace Hide 'How does node auto-replace work' in dropdown Add hyphen Only include Rancher UI steps for enable/disable node auto-replace Only include Rancher UI steps for enable/disable node auto-replace Change wording around node auto-replace * Update _index.md * Edit Windows cluster docs * Edit Windows cluster docs for usability * Update supported Windows server version * Edit docs on Windows clusters * Edit Windows node docs * Minor edits to Windows docs * Edit Windows cluster docs * Edit Windows cluster docs for usability * Minor edits to Windows docs * Edit air gap docs (#1759) * Edit air gap docs * Edit air gap installation steps * add notes about taints on linux worker nodes * adding node taints docs * add s3 backup option for self signed certs * add advanced options systemDefaultRegistry and useBundledSystemChart in helm options * Add Kubernetes Metadata Feature * Add google oauth docs * Air gap install updates (#1791) * fix single node air gap command * New air gap layout - overview * New air gap layout - prepare nodes * New air gap layout - prepare private registry and add windows instructions * New air gap layout - install k8s * New air gap layout - install rancher * small edits * Small air gap edits * small revision to airgap docs * Edit RKE metadata doc (#1790) * Edit RKE metadata config docs * Minor edits to RKE metadata doc * Minor edits to RKE metadata doc * Minor edits to K8s metadata doc * Update note in K8s metadata doc * Addressing PR review comments * Google OAuth (#1797) * Copy edit Google Oauth docs * Copy edit Google Oauth docs * Minor edits to Google Oauth doc * Add info on add ons and agents * Fix up air gap upgrades based on air gap install edits * Update example CIDRs for bip ranges * Missing a L3 Header for General Linux The current TOC structure is missing a General category which makes it read like CentOS/RHEL is the recommended distro.. Adding a General Linux Recommendations better highlights that the RHEL stuff is additional information for those distros. * EIO-194: documentation updates for CIS benchmark 1.4.1 * Fix incorrect rendering of bash script The bash script doesn't display correctly and when copied as is doesn't work due to a leading 'bash' in the command. * Add info on intermediates recognized CA cert * Small air gap upgrade updates for consistency * Remove unnecessary step * Add taints to nodes * Update RKE CLI docs with folder info * Added folder option for s3 backups * Edit Istio cluster administration docs * Edit Istio docs * Edit Istio docs * Document safe timestamps * Edit Istio docs * Edit Istio docs * Update _index.md * Add feature flag doc * Edit feature flag doc * Change unsupported to experimental * Change wording * Edit Istio docs * Rancher min/max version * Edit Istio rbac info * Add c * Edit Istio rbac section
4.7 KiB
title, weight
| title | weight |
|---|---|
| Users and Groups | 1 |
Rancher relies on users and groups to determine who is allowed to log in to Rancher and which resources they can access. When you configure an external authentication provider, users from that provider will be able to log in to your Rancher server. When a user logs in, the authentication provider will supply your Rancher server with a list of groups to which the user belongs.
Access to clusters, projects, multi-cluster apps, and global DNS providers and entries can be controlled by adding either individual users or groups to these resources. When you add a group to a resource, all users who are members of that group in the authentication provider, will be able to access the resource with the permissions that you've specified for the group. For more information on roles and permissions, see [Role Based Access Control]({{< baseurl >}}/rancher/v2.x/en/admin-settings/rbac/).
Managing Members
When adding a user or group to a resource, you can search for users or groups by beginning to type their name. The Rancher server will query the authentication provider to find users and groups that match what you've entered. Searching is limited to the authentication provider that you are currently logged in with. For example, if you've enabled GitHub authentication but are logged in using a [local]({{< baseurl >}}/rancher/v2.x/en/admin-settings/authentication/local/) user account, you will not be able to search for GitHub users or groups.
All users, whether they are local users or from an authentication provider, can be viewed and managed. From the Global view, click on Users.
{{< saml_caveats >}}
User Information
Rancher maintains information about each user that logs in through an authentication provider. This information includes whether the user is allowed to access your Rancher server and the list of groups that the user belongs to. Rancher keeps this user information so that the CLI, API, and kubectl can accurately reflect the access that the user has based on their group membership in the authentication provider.
Whenever a user logs in to the UI using an authentication provider, Rancher automatically updates this user information.
Automatically Refreshing User Information
Available as of v2.2.0
Rancher will periodically refresh the user information even before a user logs in through the UI. You can control how often Rancher performs this refresh. From the Global view, click on Settings. Two settings control this behavior:
-
auth-user-info-max-age-secondsThis setting controls how old a user's information can be before Rancher refreshes it. If a user makes an API call (either directly or by using the Rancher CLI or kubectl) and the time since the user's last refresh is greater than this setting, then Rancher will trigger a refresh. This settting defaults to
3600seconds, i.e. 1 hour. -
auth-user-info-resync-cronThis setting controls a recurring schedule for resyncing authentication provider information for all users. Regardless of whether a user has logged in or used the API recently, this will cause the user to be refreshed at the specified interval. This setting defaults to
0 0 * * *, i.e. once a day at midnight. See the Cron documentation for more information on valid values for this setting.
Note: Since SAML does not support user lookup, SAML-based authentication providers do not support periodically refreshing user information. User information will only be refreshed when the user logs into the Rancher UI.
Manually Refreshing User Information
If you are not sure the last time Rancher performed an automatic refresh of user information, you can perform a manual refresh of all users.
-
From the Global view, click on Users in the navigation bar.
-
Click on Refresh Group Memberships.
Results: Rancher refreshes the user information for all users. Requesting this refresh will update which users can access Rancher as well as all the groups that each user belongs to.
Note: Since SAML does not support user lookup, SAML-based authentication providers do not support the ability to manually refresh user information. User information will only be refreshed when the user logs into the Rancher UI.
Session Length
Available as of v2.3.0
The default length (TTL) of each user session is adjustable. The default session length is 16 hours.
- From the Global view, click on Settings.
- In the Settings page, find
auth-user-session-ttl-minutesand click Edit. - Enter the amount of time in minutes a session length should last and click Save.
Result: Users are automatically logged out of Rancher after the set number of minutes.