The upgrade of the Sysdig Monitor SaaS back-end on February 7, 2018 and On-Premises release #760 include changes to support RBAC (Role Based Access Control) which affect how Teams and User configurations are stored and modified via the API. These changes are not backward-compatible and affect the functionality of the following methods of the Python client:
If you currently have scripts that use these methods, you will need to upgrade your Python client to version 0.6.5 or newer and follow the details below to make the necessary changes to your scripts.
Previously, all users in Sysdig Monitor had global read/write access throughout the application. Admin users also had the additional ability to create/modify Team memberships.
Via the Python client, an Admin user could leverage the edit_user() method in order to:
- Set a list-based roles parameter that determined if a user was restricted to only global read/write access [ROLE_USER] or was also an Admin [ROLE_USER, ROLE_CUSTOMER]
- Set a list-based teams parameter that determined the named set of Teams to which the User was a member
Similarly, an Admin user could leverage the edit_team() method to set the list-based users parameter to establish the current membership of a Team.
With the introduction of the new RBAC functionality, a few new concepts are introduced that affect these methods:
- A Read-Only option that prevents the user from making various changes within the app (Dashboards, Alerts, etc.), which can be set for a User on a per-Team basis
- Team Manager access, which allows a user to make membership changes to a Team
- System Roles, which represent a user's global privileges regardless of Team
The resulting changes to the methods of the Python client are as follows:
- A user's global privileges are no longer set via the list-based roles parameter, but instead is now changed by setting the new systemRole parameter to ROLE_CUSTOMER for an Admin user or ROLE_USER for a non-Admin user
- Team membership is no longer set via the list-based teams parameter, but instead is set via the edit_team() method
- A Team's membership is no longer set via the list-based users parameter, but instead is set via a dictionary-based memberships parameter, where each entry's key is a username and the value is one of:
- TEAM_READ - User is a Read-Only member of this Team
- TEAM_EDIT - User is a Read/Write member of this Team (previous default)
- TEAM_MANAGER - User is a Team Manager of this Team
To see an example that leverages the new parameters of these methods, see examples/user_team_mgmt.py. To see the specific changes that were made in the client & example when transitioning to the new functionality, review Pull Request #46.
If you have additional questions, about the transition, visit sysdig.com/support and open a Support ticket.