Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NOP - Improve RBAC practices #1794

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added public/images/chainlink-nodes/cl-nodes-RBAC.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2 changes: 1 addition & 1 deletion src/content/chainlink-nodes/configuring-nodes.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ You can generate the `config.toml` file using the `chainlink config dump` comman
docker exec -it chainlink bash
```

1. Log in to the Chainlink CLI with an account that has admin access:
1. Log in to the Chainlink CLI with an account that has [`admin`](/chainlink-nodes/v1/roles-and-access#roles-and-access) access:

```shell
chainlink admin login
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,20 @@
section: nodeOperator
date: Last Modified
title: "Bridges: Adding External Adapters to Nodes"
whatsnext: { "Assign role-based access tiers to users": "/chainlink-nodes/v1/roles-and-access" }
---

import { Aside } from "@components"

You can add external adapters to a Chainlink node by creating a bridge in the Node Operators Interface. Each bridge must have a unique name and a URL for the external adapter. If a job has a [Bridge Task](/chainlink-nodes/oracle-jobs/all-tasks/#bridge-task), the node searches for a bridge by name and uses that bridge as your external adapter. Bridge names are case insensitive.
You can add external adapters to a Chainlink node by creating a bridge in the Node Operators Interface.

## Users access to Bridges

Chainlink Nodes have a [role-based access control](/chainlink-nodes/v1/roles-and-access) system. Ensure you assign the appropriate role to users who manage bridges.

## Create a Bridge

Each bridge must have a unique name and a URL for the external adapter. If a job has a [Bridge Task](/chainlink-nodes/oracle-jobs/all-tasks/#bridge-task), the node searches for a bridge by name and uses that bridge as your external adapter. Bridge names are case insensitive.

To create a bridge on the node, go to the **Create Bridge** tab in the Node Operators Interface. Specify a name for the bridge, the URL for your external adapter, and optionally specify the minimum contract payment and number of confirmations for the bridge. Minimum contract payment is a fee paid in LINK for the Chainlink node making a call to the external adapter via the bridge. This fee is in addition to the fee specified at the global node level for processing job requests.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
section: nodeOperator
date: Last Modified
title: "Adding External Initiators to Nodes"
whatsnext: { "Assign role-based access tiers to users": "/chainlink-nodes/v1/roles-and-access" }
---

import { Aside } from "@components"
Expand All @@ -11,9 +12,13 @@ import { Aside } from "@components"
variable](/chainlink-nodes/v1/configuration) to enable this feature.
</Aside>

## Users access to external initiators

Chainlink Nodes have a [role-based access control](/chainlink-nodes/v1/roles-and-access) system. Ensure you assign the appropriate role to users who manage external initiators.

## Creating an external initiator

To create an external initiator you must use the remote API. You can do this yourself, like so:
To create an external initiator, you must have an [`edit`](/chainlink-nodes/v1/roles-and-access#roles-and-access) or [`admin`](/chainlink-nodes/v1/roles-and-access#roles-and-access) role and use the remote API. Execute the following command:

{/* prettier-ignore */}
```text
Expand Down Expand Up @@ -100,7 +105,7 @@ To try a real-life example, feel free to follow along with the <a href="https://

## Deleting an external initiator

To delete an external initiator you must use the remote API. You can do this yourself, like so:
To delete an external initiator, you must have an [`edit`](/chainlink-nodes/v1/roles-and-access#roles-and-access) or [`admin`](/chainlink-nodes/v1/roles-and-access#roles-and-access) role and use the remote API. Execute the following command:

```text
DELETE http://<your chainlink node>/v2/external_initiators/<external initiator name>
Expand Down
4 changes: 4 additions & 0 deletions src/content/chainlink-nodes/oracle-jobs/jobs.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,10 @@ Chainlink nodes require jobs to do anything useful. For example, posting asset p

Jobs are represented by TOML specifications.

## Users access to Jobs

Chainlink Nodes have a [role-based access control](/chainlink-nodes/v1/roles-and-access) system. Ensure you assign the appropriate role to users who manage jobs.

## Example v2 job spec

The following is an example `cron` job spec. This is a simple spec that you can add to a node:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,10 @@ Due to the early nature of the software, it may be required to perform frequent

On performing system maintenance to update the Chainlink node, follow [this](/chainlink-nodes/resources/performing-system-maintenance/#failover-node-example) guide.

## Role-based Access Control (RBAC)

Use Chainlink Nodes [role-based access](/chainlink-nodes/v1/roles-and-access) tiers to grant specific access to multiple users without providing admin privileges to all users.

## Jobs and Config

The following are suggestions for job specifications and configuration settings for the node.
Expand Down
20 changes: 12 additions & 8 deletions src/content/chainlink-nodes/resources/miscellaneous.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,17 @@
section: nodeOperator
date: Last Modified
title: "Miscellaneous"
whatsnext: { "Security and Operation Best Practices": "/chainlink-nodes/resources/best-security-practices" }
whatsnext:
{
"Security and Operation Best Practices": "/chainlink-nodes/resources/best-security-practices",
"Assign role-based access tiers to users": "/chainlink-nodes/v1/roles-and-access",
}
---

import { Aside } from "@components"
import { Tabs } from "@components/Tabs"

## Execute Commands Running Docker
## Execute commands running Docker

In order to interact with the node's CLI commands, you need to be authenticated. This means that you need to access a shell within the Chainlink node's running container first. You can obtain the running container's `NAME` by running:

Expand Down Expand Up @@ -56,7 +60,7 @@ If no jobs have been added, you will receive the following output, otherwise, th
╬════╬════════════╬════════════╬═══════╬
```

## Transfer funds from node wallet.
## Transfer funds from node wallet

<Aside type="note" title="Note for Docker">
If using Docker, you will first need to follow the [Execute Commands Running Docker](#execute-commands-running-docker)
Expand Down Expand Up @@ -96,7 +100,7 @@ It will ask for your old password first, then ask for the new password and a con

Once complete, you should see a message "Password updated."

## Multi-user and Role Based Access Control (RBAC)
## Multi-user and Role-Based Access Control (RBAC)

See the [Roles and Access Control](/chainlink-nodes/v1/roles-and-access) page.

Expand Down Expand Up @@ -135,7 +139,7 @@ Updated: 2023-04-26 08:12:51.340348 +0000 UTC

### Create a new ETH Key

To create a key in the node's keystore alongside the existing keys, run the following command:
To create a key in the node's keystore alongside the existing keys, you must have an [`edit`](/chainlink-nodes/v1/roles-and-access#roles-and-access) or [`admin`](/chainlink-nodes/v1/roles-and-access#roles-and-access) role. Run the following command:

```shell
chainlink keys eth create
Expand All @@ -161,7 +165,7 @@ Max Gas Price Wei: 1157920892373161954235709850086879078532699846656405640394575

### Export an ETH key

To export an Ethereum key to a JSON file, run the following command:
To export an Ethereum key to a JSON file, , you must have an [`admin`](/chainlink-nodes/v1/roles-and-access#roles-and-access) role. Run the following command:

```shell
chainlink keys eth export [address] [command options]
Expand All @@ -186,7 +190,7 @@ chainlink keys eth export 0xd31961E1f62A2FaB824AC3C1A7a332daF8B11eE0 --newpasswo

### Delete an ETH key

To remove an Ethereum key, run the following command:
To remove an Ethereum key, you must have an [`admin`](/chainlink-nodes/v1/roles-and-access#roles-and-access) role. Run the following command:

```shell
chainlink keys eth delete [address] [command options]
Expand All @@ -209,7 +213,7 @@ Deleted ETH key: 0xd31961E1f62A2FaB824AC3C1A7a332daF8B11eE0

### Import an ETH key

To import an Ethereum key from a JSON file, run the following command:
To import an Ethereum key from a JSON file, you must have an [`admin`](/chainlink-nodes/v1/roles-and-access#roles-and-access) role. Run the following command:

```shell
chainlink keys eth import [JSON file] [command options]
Expand Down
5 changes: 4 additions & 1 deletion src/content/chainlink-nodes/v1/fulfilling-requests.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ whatsnext:
{
"Performing System Maintenance": "/chainlink-nodes/resources/performing-system-maintenance",
"v2 Jobs": "/chainlink-nodes/oracle-jobs/jobs",
"Assign role-based access tiers to users": "/chainlink-nodes/v1/roles-and-access",
"Security and Operation Best Practices": "/chainlink-nodes/resources/best-security-practices",
}
metadata:
Expand Down Expand Up @@ -101,7 +102,9 @@ Your node works with several different types of addresses. Each address type has

You will create a job that calls an OpenAPI , parses the response and then return a `uint256`.

1. In the Chainlink Operator UI on the **Jobs** tab, click **New Job**.
1. Log in to the Chainlink Operator UI with an [admin](/chainlink-nodes/v1/roles-and-access#roles-and-access) or [edit](/chainlink-nodes/v1/roles-and-access#roles-and-access) role account.
khadni marked this conversation as resolved.
Show resolved Hide resolved

1. On the **Jobs** tab, click **New Job**.

![The new job button.](/images/chainlink-nodes/node-operators/new-job-button.png)

Expand Down
89 changes: 71 additions & 18 deletions src/content/chainlink-nodes/v1/roles-and-access.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -4,27 +4,15 @@ date: Last Modified
title: "Role-Based Access Control (RBAC)"
---

Chainlink Nodes allow the root admin CLI user and any additional admin users to create and assign tiers of role-based access to new users. These new API users can able to log in to the Operator UI independently.
import { Aside } from "@components"

Each user has a specific role assigned to their account. There are four roles: `admin`, `edit`, `run`, and `view`.
Chainlink Nodes allow the root admin CLI user and additional admin users to assign role-based access tiers. This approach grants specific access to multiple users without providing admin privileges to all users.

If there are multiple users who need specific access to manage the Chainlink Node instance, permissions and level of access can be set here.
These new API users can log in to the Operator UI independently.

User management is configured through the use of the admin `chainlink admin users` command. Run `chainlink admin login` before you set user roles for other accounts. For example, a view-only user can be created with the following command:
## Roles and access

```shell
chainlink admin users create --email=operator-ui-view-only@test.com --role=view
```

To modify permissions or delete existing users, run the `admin users chrole` or `admin users delete` commands. Use the `-h` flag to get a full list of options for these commands:

```shell
chainlink admin users chrole -h
```

```shell
chainlink admin users delete -h
```
Each user has a specific role assigned to their account. There are four roles: `admin`, `edit`, `run`, and `view`.

Specific actions are enabled to check role-based access before they execute. The following table lists the actions that have role-based access and the role that is required to run that action:

Expand Down Expand Up @@ -84,4 +72,69 @@ Specific actions are enabled to check role-based access before they execute. The
| Edit user | | | | X |
| List users | | | | X |

The run command allows for minimal interaction and only enables the ability to replay a specific block number and kick off a job run.
## Configure users and roles

You can only use the CLI to configure role-based access.

### Prerequisites

Only admins can configure role-based access. Connect to the Chainlink node container and log in as an admin before you create, modify, or delete user roles for other accounts:

1. Open an interactive shell session on the container that is running your node:

```shell
docker exec -it chainlink /bin/bash
```

1. Log into the Chainlink CLI:

```shell
chainlink admin login
```

The CLI prompts you for the admin credentials that you configured for your node.

<Aside type="note" title="Log out of the CLI after your changes">
Log out of the CLI after your changes. This prevents users with access to the shell from executing admin commands.

To log out from the shell session, run:

```shell
chainlink admin logout
```

</Aside>

### View the current list of users

To view the current list of users, run the following command:

```shell
chainlink admin users list
```

### Create a new user with a specific role

For example, you can create a user with view-only permissions on the node with the following command:

```shell
chainlink admin users create --email=operator-ui-view-only@test.com --role=view
```

This user can now log into the UI and query the API, but cannot change any settings or jobs.

### Modify a user role and permissions

To modify permissions, run the `admin users chrole` command. Use the `-h` flag to get a complete list of options for these commands:

```shell
chainlink admin users chrole -h
```

### Delete a user role and permissions

To delete existing users, run the `admin users delete` command. Use the `-h` flag to get a complete list of options for these commands:

```shell
chainlink admin users delete -h
```
1 change: 1 addition & 0 deletions src/content/chainlink-nodes/v1/using-forwarder.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
section: nodeOperator
date: Last Modified
title: "Forwarder tutorial"
whatsnext: { "Assign role-based access tiers to users": "/chainlink-nodes/v1/roles-and-access" }
metadata:
title: "Chainlink Node Operators: Forwarder tutorial"
description: "Use a forwarder contract for more security and flexibility."
Expand Down
19 changes: 19 additions & 0 deletions src/pages/chainlink-nodes.astro
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,25 @@ import styles from "@features/landing/styles/EthereumLandingPage.module.css"
/>
</a>
</div>
<div class="card">
<img src="/images/chainlink-nodes/cl-nodes-RBAC.png" class="cl-image-featured" height="50" />
<h3 class={styles.cardTitle}>Manage Node User Roles and Permissions</h3>
<p style="margin-top: var(--space-2x)">Configure user access and roles on your Node for tailored permissions.</p>
<a
href="/chainlink-nodes/v1/roles-and-access"
class={button.secondary}
style="margin-top: var(--space-4x); display: inline-flex;"
>
{"Learn More"}
<img
class="cta-learnmore-arrow"
src="/images/card-icons/navigation-arrow-right.svg"
loading="lazy"
alt="Right arrow"
style="height: 16px"
/>
</a>
</div>
<div class="card">
<div>
<img
Expand Down
Loading