Role-Based Access Control (RBAC)

[mmguero]

This feature tracks adding role-based access control (RBAC) to Malcolm. Roles will be provided by Keycloak as it provides the framework to create roles and assign them to users. Other forms of authentication (HTTP Basic, LDAP), will effectively behave the same as they do today, which is that all users basically have unrestricted permissions.

Note that the Requiring user groups and realm roles feature will continue to exist as it does today, as that is a higher-level check at the point of ingress.

Here are some work-in-progress notes and roles I've defined so far.

• These are the "backend" roles defined by Malcolm and mapped into services' user/role capabilities where possible. Documentation/resources:
  • OpenSearch (provided by the OpenSearch Security plugin)
    • Configuring the Security backend
    • Modifying the YAML files
    • OpenSearch's predefined roles can be used directly without needing to add them here
    • Proxy-based authentication
  • Arkime roles
  • NetBox
    • Authentication & Permissions
    • Object-Based Permissions
    • Mastering NetBox User Access with Permission Constraints (blog)
  • Other roles for Malcolm-specific functions that are not part of another component are handled by Malcolm directly, either in the nginx-proxy container or in the code providing that functionality.

Role-based access control is only available when the authentication method is keycloak or keycloak_remote. With other authentication methods such as HTTP basic or LDAP, or when role-based access control is disabled, all Malcolm users effectively have administrator privileges.

Having chosen keycloak or keycloak_remote in auth_setup, users will select Configure Role-Based Access Control and indicate they wish to enable it. The auth_setup dialog then instructs the user to See Keycloak or auth-common.env for realm roles.

auth-common.env contains the environment variables that define the names of Malcolm's "back-end" roles which are in turn mapped to roles used internally by Malcolm's several components (e.g., NetBox, OpenSearch, etc.). When using Malcolm's embedded Keycloak instance realm roles with these names are automatically created when Keycloak starts up. When using a remote Keycloak instance the user must create these realm roles manually.

These environment variables are divided into two sections:

• General access roles
  • ROLE_ADMIN - Unrestricted administrator access
  • ROLE_READ_ACCESS - Read-only access across all Malcolm components
  • ROLE_READ_WRITE_ACCESS - Read/write access across all Malcolm components, excluding some administrator functions
• Fine-grained roles
  • ROLE_ARKIME_ADMIN - Maps to Arkime's built-in arkimeAdmin role
  • ROLE_ARKIME_READ_ACCESS - Maps to a custom Arkime role with read-only Viewer access
  • ROLE_ARKIME_READ_WRITE_ACCESS - Maps to a custom Arkime role with read/write Viewer access
  • ROLE_ARKIME_PCAP_ACCESS - Maps to a custom Arkime role with access to viewing/exporting PCAP payloads in Viewer
  • ROLE_ARKIME_HUNT_ACCESS - Maps to a custom Arkime role with access to Hunt (packet search) in Viewer
  • ROLE_ARKIME_WISE_READ_ACCESS - Maps to Arkime's built-in wiseUser role
  • ROLE_ARKIME_WISE_READ_WRITE_ACCESS - Maps to Arkime's built-in wiseAdmin role
  • ROLE_DASHBOARDS_READ_ACCESS - Read-only access to OpenSearch Dashboards visualizations, but not all Dashboards apps
  • ROLE_DASHBOARDS_READ_ALL_APPS_ACCESS - Read-only access to all OpenSearch Dashboards visualizations and apps
  • ROLE_DASHBOARDS_READ_WRITE_ACCESS - Read/write access to OpenSearch Dashboards visualizations, but not all Dashboards apps
  • ROLE_DASHBOARDS_READ_WRITE_ALL_APPS_ACCESS - Read/write access to OpenSearch Dashboards visualizations and apps
  • ROLE_EXTRACTED_FILES - Access to extracted file downloads
  • ROLE_NETBOX_READ_ACCESS - Read-only access to NetBox
  • ROLE_NETBOX_READ_WRITE_ACCESS - Read/write access to NetBox
  • ROLE_UPLOAD - Access to upload artifact interface
  • ROLE_CAPTURE_SERVICE - Internal-use role for service account used by Arkime capture on remote network sensor

Note that the general access roles are supersets of combinations of the fine-grained roles: e.g., the role named by the ROLE_READ_ACCESS variable includes read-only access to Dashboards, Arkime, and NetBox.

With role-based access control enabled, realm roles must exist that correspond to the names defined by these ROLE_… environment variables, and users must be assigned those realm roles in order to use the Malcolm features to which they correspond. Users attempting to access features for which they are authorized will be presented with a "forbidden" error message.