Groups / assignment of services

This is already probably there, but maybe I am not 100% in the right way of thinking.

So far, I have been playing with the demo and got it over the line. I am starting to think about how this might work for many users. So far, I have been creating a user, and assigning a service to them, but there is nowhere that I can look up a service name and see those who is assigned, or assign multiple users to it easily.

Take for example http.svc. Say I had 50 identities. The only way I can see who is assigned to that service, is to open each identity and see if they had it assigned. What would be nice, is to have a (for want of a better name) GROUPS option, where it would list the services, and then could list those assigned to that service, and a searchable list of people who are currently not in that list that you could assign to that service.

Also on a service creation, it might be nice to have a text field, or show the tag cloud somehow so you can put a description of what the service is. ie, http.svc has a description of docker whale for instance.

I am not as familiar with this bit of our APIs, Iโ€™ve asked some other people on the team to take a look at your message and offer insights.

One way of doing this is via policy advisor but imo itโ€™s not performant for โ€œthousandsโ€ of users. 50 you could suffer through. You could issue: ziti edge policy-advisor identities -q | grep serviceNameHere and find whoโ€™s got access to which service that way.

Iโ€™ll see if I can get someone else to comment here though, I thought we had a mechanism for doing this I just donโ€™t know.

ziti edge list service identities <service id or name>

will show you identities that have access to a given service.

ziti edge list identity services <identity id or name>

will show you services that an identity has access to.

The one missing pieces currently is that you canโ€™t filter by Dial vs Bind, so you canโ€™t tell the type of policy(ies) that are providing the access. It wouldnโ€™t be hard to add, just need to figure out the mechanism (should it be a query param or separate REST endpoint).

I added an issue to track the filtering by policy type: Allow filtering by policy type when listing identities for service or services for identity ยท Issue #1031 ยท openziti/edge ยท GitHub

SWEET! Today I learned those commands! :slight_smile: Thanks @plorenz


The same type of commands exist for service and identity to edge router, as well as being able to query which policies those three entities are linked it.


$ ziti edge list edge-router edge-router-policies edge-router-1
โ”‚ ID         โ”‚ NAME                         โ”‚ EDGE ROUTER ROLES โ”‚ IDENTITY ROLES โ”‚
โ”‚ DHi-GTVXK  โ”‚ echo                         โ”‚ #all              โ”‚ #echo          โ”‚
โ”‚ UpcvyQ6nyM โ”‚ echo-client                  โ”‚ @edge-router-1    โ”‚ #echo-client   โ”‚
โ”‚ h-DqbP927  โ”‚ edge-router-h-DqbP927-system โ”‚ @edge-router-1    โ”‚ @edge-router-1 โ”‚
results: 1-3 of 3

Finally you can also query which role attributes are being used by services, identities and edge routers.


$ ziti edge list service-role-attributes
โ”‚ echo           โ”‚
results: 1-1 of 1

Just wanted to add that IMHO the best way to organize openZiti so itโ€™s functional for a large number of users/services is by using the role attributes when creating those objects.

For example if you have that service called http.svc, when you create the service dial policy, instead of adding each @user, you would use the role-attribute of #http.svc.users, & when creating new users that need access to that service, you would assign them the attribute #http.svc.users.

Using this mechanism you can group users and service in endless combinations.

1 Like

Thanks for the info. So, using the docker-compose example, I have two users assigned to http.svc dial policy.

I can see what is assigned to that using

ziti@110ca48ed93c:/openziti$ ziti edge list service identities http.svc
โ”‚ ID         โ”‚ NAME              โ”‚ TYPE   โ”‚ ATTRIBUTES   โ”‚
โ”‚ 7HSb-j9ni  โ”‚ ziti-private-blue โ”‚ Router โ”‚              โ”‚
โ”‚ Jr90WyYmBG โ”‚ http-client       โ”‚ User   โ”‚ http-clients โ”‚
โ”‚ xVP71IGHCl โ”‚ My test user      โ”‚ User   โ”‚ http-clients โ”‚

What I would like to do, is to be able to see who has the http-clients role. How I would use itโ€ฆ

USE CASE: I open a user (GUI) and see that they have the http-clients attribute. I then want to see who else has this attribute. There is no way to do this through the GUI that I can see.

In the example above, what is the command to find all the identities that have the attribute of http-clients. I thought it might have been ziti edge list identity-role-atrtibutes http-clients but no (I have probably done it wrong).

Secondly, I would expect to be able add users to the http-clients attribute without having to open each user, like I would open a group in other apps and be able to edit membership.

using the command ziti edge update identity "My test user" -a "blah" overwrites any existing attribute that was there. Is there a way to add/remove an attribute without clobbering what was there?

For listing entities by role attribute you can use a filter as follows:

plorenz@vimes:~/work/nf/ziti-sdk-rust$ ziti edge ls identities
โ”‚ ID         โ”‚ NAME          โ”‚ TYPE    โ”‚ ATTRIBUTES       โ”‚
โ”‚ 4dL-orVXKo โ”‚ zcat          โ”‚ Service โ”‚ echo,echo-client โ”‚
โ”‚ Ce1f5dDCey โ”‚ edge-router-2 โ”‚ Router  โ”‚ echo-host        โ”‚
โ”‚ WOqAKJJun  โ”‚ Default Admin โ”‚ User    โ”‚                  โ”‚
โ”‚ h-DqbP927  โ”‚ edge-router-1 โ”‚ Router  โ”‚ echo-host        โ”‚
results: 1-4 of 4
plorenz@vimes:~/work/nf/ziti-sdk-rust$ ziti edge ls identities 'anyOf(roleAttributes) = "echo-host"'
โ”‚ ID         โ”‚ NAME          โ”‚ TYPE   โ”‚ ATTRIBUTES โ”‚
โ”‚ Ce1f5dDCey โ”‚ edge-router-2 โ”‚ Router โ”‚ echo-host  โ”‚
โ”‚ h-DqbP927  โ”‚ edge-router-1 โ”‚ Router โ”‚ echo-host  โ”‚
results: 1-2 of 2

For adding a role attribute to multiple users, thatโ€™s a scripting/UX issue so Iโ€™ll leave that for others to discuss.

Thereโ€™s not currently a way (with the CLI) to add an attribute to an entity. Iโ€™ll add an issue to track this.

@jeremy.tellier we should add screen(s) similar to below to ZAC for slicing and dicing based on attributes:

@jeremy.tellier: @gooseleggsโ€™ suggestion about navigating based on attributes and adding endpoints (users) from such a page is also a good idea (e.g., add addition endpoints with the #refelctclient from the screen capture above).

I added an enhancement request to ziti-console Add "attribute explorer" and group assignments ยท Issue #26 ยท openziti/ziti-console ยท GitHub