ContextQMD
Back to Redis

Create Cluster Roles

content/operate/rs/security/access-control/create-cluster-roles.md

latest6.8 KB
Original Source

Roles with cluster access allow access to the Cluster Management UI and REST API.

Default management roles

Redis Software includes five predefined roles that determine a user's level of access to the Cluster Manager UI and [REST API]({{<relref "/operate/rs/references/rest-api">}}).

  1. DB Viewer - Read database settings
  2. DB Member - Administer databases
  3. Cluster Viewer - Read cluster settings
  4. Cluster Member - Administer the cluster
  5. User Manager - Administer users
  6. Admin - Full cluster access
  7. None - For data access only - cannot access the Cluster Manager UI or use the REST API

For more details about the privileges granted by each of these roles, see Cluster Manager UI permissions or [REST API permissions]({{<relref "/operate/rs/references/rest-api/permissions">}}).

Cluster Manager UI permissions

Here's a summary of the Cluster Manager UI actions permitted by each default management role:

ActionDB ViewerDB MemberCluster ViewerCluster MemberAdminUser Manager
Create, edit, delete users and LDAP mappings<span title="Not allowed">❌ No</span><span title="Not allowed">❌ No</span><span title="Not allowed">❌ No</span><span title="Not allowed">❌ No</span><span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span>
Create support package<span title="Not allowed">❌ No</span><span title="Allowed">✅ Yes</span><span title="Not allowed">❌ No</span><span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span><span title="Not allowed">❌ No</span>
Edit database configuration<span title="Not allowed">❌ No</span><span title="Allowed">✅ Yes</span><span title="Not allowed">❌ No</span><span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span><span title="Not allowed">❌ No</span>
Reset slow log<span title="Not allowed">❌ No</span><span title="Allowed">✅ Yes</span><span title="Not allowed">❌ No</span><span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span><span title="Not allowed">❌ No</span>
View cluster configuration<span title="Not allowed">❌ No</span><span title="Not allowed">❌ No</span><span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span>
View cluster logs<span title="Not allowed">❌ No</span><span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span>
<span title="Allowed">✅ Yes</span>
View cluster metrics<span title="Not allowed">❌ No</span><span title="Not allowed">❌ No</span><span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span>
View database configuration<span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span>
View database metrics<span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span>
View node configuration<span title="Not allowed">❌ No</span><span title="Not allowed">❌ No</span><span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span>
View node metrics<span title="Not allowed">❌ No</span><span title="Not allowed">❌ No</span><span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span>
View Redis database password<span title="Not allowed">❌ No</span><span title="Allowed">✅ Yes</span><span title="Not allowed">❌ No</span><span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span>
View slow log<span title="Not allowed">❌ No</span><span title="Allowed">✅ Yes</span><span title="Not allowed">❌ No</span><span title="Allowed">✅ Yes</span><span title="Allowed">✅ Yes</span><span title="Not allowed">❌ No</span>
View and edit cluster settings<span title="Not allowed">❌ No</span><span title="Not allowed">❌ No</span><span title="Not allowed">❌ No</span><span title="Not allowed">❌ No</span><span title="Allowed">✅ Yes</span><span title="Not allowed">❌ No</span>

Create roles for cluster access {#create-cluster-role}

You can use the Cluster Manager UI or the REST API to create a role that grants cluster access but does not grant access to any databases.

{{< multitabs id="create-cluster-role" tab1="Cluster Manager UI" tab2="REST API" >}}

To create a role that grants cluster access using the Cluster Manager UI:

  1. From Access Control > Roles, you can:

    • Select a role from the list of existing roles to edit it.

    • Click + Add role to create a new role.

  2. Enter a descriptive name for the role.

  3. Choose a Management role to determine cluster management permissions.

  4. To prevent database access when using this role, do not add any ACLs.

  5. Click Save.

-tab-sep-

To [create a role]({{<relref "/operate/rs/references/rest-api/requests/roles#post-role">}}) that grants cluster access using the REST API:

sh
POST /v1/roles
{ 
  "name": "<role-name>",
  "management": "db_viewer | db_member | cluster_viewer | cluster_member | user_manager | admin" 
}

{{< /multitabs >}}

You can [assign the new role to users]({{<relref "/operate/rs/security/access-control/create-users#assign-roles-to-users">}}) to grant cluster access.