Skip to content

Commit

Permalink
Merge branch 'main' into staceys-permissions-draft
Browse files Browse the repository at this point in the history 
Signed-off-by: Stacey Salamon <111294980+staceysalamon-aiven@users.noreply.github.com>
  • Loading branch information
@staceysalamon-aiven
staceysalamon-aiven authored Feb 3, 2025
2 parents a337066 + 34ddcf8 commit 3bbfce7
Show file tree
Hide file tree
Showing 18 changed files with 993 additions and 248 deletions.
10 changes: 6 additions & 4 deletions docs/platform/concepts/authentication-tokens.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,12 @@ There are 3 types of tokens used to access the Aiven platform: session tokens, p
Session tokens are created when you log in or make an API call. These tokens are revoked
when you log out of the Aiven Console or the CLI.

You can create personal tokens to access resources instead of using your password.
You can [create personal tokens](/docs/platform/howto/create_authentication_token) to
access resources instead of using your password.
Application tokens are linked to
[application users](/docs/platform/concepts/application-users). Application users and
tokens are a more secure option for non-human users like external applications. You can
create multiple personal or application tokens for different use cases or applications.

create multiple personal or application tokens for different use cases.

## Token limits

Expand All @@ -26,10 +26,12 @@ This is especially useful for automation that creates tokens.

## Token security

To keep your personal tokens secure:
To keep your personal and application tokens secure:

- Set a session duration to limit the impact of exposure
- Refrain from letting users share tokens
- Rotation your tokens regularly
- Use application users for non-human users and follow
[security best practices](/docs/platform/concepts/application-users) for their tokens
- Control access to your organzation's resources with the
[authentication policy](/docs/platform/howto/set-authentication-policies)
15 changes: 8 additions & 7 deletions docs/platform/concepts/permissions.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,13 +33,14 @@ and services within it.

### Organization permissions

| Console name | API name | Allowed actions |
| ------------------------------- | -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Manage application users | `organization:app_users:write` | <ul> <li> Create, edit, and delete application users. </li> <li> View all application users. </li> <li> Generate and revoke application tokens. </li> <li> List all application tokens. </li> </ul> |
| View organization audit log | `organization:audit_logs:read` | <ul> <li> View the audit log. </li> </ul> |
| Manage domains | `organization:domains:write` | <ul> <li> Add, edit, and remove domains. </li> <li> View all organization domains. </li> </ul> |
| Manage groups | `organization:groups:write` | <ul> <li> Create, edit, and delete groups. </li> <li> Add organization and application users to groups. </li> <li> Remove organization and application users from groups. </li> </ul> |
| Manage organization users | `organization:users:write` | <ul> <li> Invite new users to the organization. </li> <li> View all invited users. </li> <li> Remove user invites. </li> <li> Deactivate, edit and delete [managed users](/docs/platform/concepts/managed-users). </li> <li> Remove non-managed users from the organization. </li> <li> Reset passwords for managed users. </li> <li> View all authentication methods for an organization user. </li> <li> Revoke tokens for managed users. </li> <li> View all tokens generated by managed users. </li> </ul> |
| Console name | API name | Allowed actions |
| --------------------------- | ------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Manage application users | `organization:app_users:write` | <ul> <li> Create, edit, and delete application users. </li> <li> View all application users. </li> <li> Generate tokens for application users that are not super admin and have not been granted any permissions. </li> <li> Revoke application tokens. </li> <li> List all application tokens. </li> </ul> |
| View organization audit log | `organization:audit_logs:read` | <ul> <li> View the audit log. </li> </ul> |
| Manage domains | `organization:domains:write` | <ul> <li> Add, edit, and remove domains. </li> <li> View all organization domains. </li> </ul> |
| Manage groups | `organization:groups:write` | <ul> <li> Create, edit, and delete groups. </li> <li> Add organization and application users to groups. </li> <li> Remove organization and application users from groups. </li> </ul> |
| Manage projects | `organization:projects:write` | <ul> <li> Create and delete projects. </li> <li> Assign projects to billing groups. </li> <li> Add and remove project tags. </li> </ul> **Cannot otherwise access or move the project or its services.** |
| Manage organization users | `organization:users:write` | <ul> <li> Invite new users to the organization. </li> <li> View all invited users. </li> <li> Remove user invites. </li> <li> Deactivate, edit and delete [managed users](/docs/platform/concepts/managed-users). </li> <li> Remove non-managed users from the organization. </li> <li> Reset passwords for managed users. </li> <li> View all authentication methods for an organization user. </li> <li> Revoke tokens for managed users. </li> <li> View all tokens generated by managed users. </li> </ul> |


## Project roles and permissions
Expand Down
11 changes: 10 additions & 1 deletion docs/platform/howto/disk-autoscaler.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,16 @@ listed on [Aiven Plans and Pricing](https://aiven.io/pricing?product=kafka).
Aiven Autoscaler.
1. When disk storage consumption reaches the threshold for a specific
service, usually within minutes Aiven Autoscaler increases available storage space
by 10% every time taking the used disk space as a baseline.
by **at least 10%** every time, taking used disk space as a baseline.

:::important
The exact increase depends on:

- The service type
- The cloud provider

Some providers enforce a minimum of 10 GB.
:::

:::note[Autoscale thresholds per service type]
The threshold at which disk autoscaling is triggered is a percentage of
Expand Down
3 changes: 2 additions & 1 deletion docs/platform/howto/list-identity-providers.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,8 @@ To limit access further, also consider these authentication policy settings:
organization identity provider settings ensures that users only log in to the Console
with your chosen IdP.
- **Don't allow users to create personal tokens**: This prevents users from accessing
organization resources through the API.
organization resources through the API using a long-lived
[personal token](/docs/platform/concepts/authentication-tokens) they created.

If you allow your users to create personal tokens, you can still make these more
secure by enabling **Require users to be logged in with an allowed
Expand Down
6 changes: 3 additions & 3 deletions docs/platform/howto/manage-project.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,12 +35,12 @@ The project name in your DNS records will not be updated.
## Move a project

You can move a project to another organization or organizational unit.
Users with admin access to projects can move them to another
organizational unit or up a level to the organization.
Users with the organization admin, project admin, or super admin role can move projects
within an organization.

To move a project to a different organization, you must be an
[organization admin](/docs/platform/concepts/permissions#organization-roles-and-permissions)
of both organizations.
or super admin of both organizations.

All users with permission to access the project lose the permissions when you
move it to a different organization.
Expand Down
12 changes: 9 additions & 3 deletions docs/platform/howto/set-authentication-policies.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ title: Set authentication policies for organization users

import ConsoleLabel from "@site/src/components/non-swizzled/ConsoleIcons"

The authentication policy for your organization specifies the ways that users in your organization and their personal tokens can access the organization on the Aiven platform.
The authentication policy for your organization specifies the ways that users in your organization can access the organization on the Aiven Platform.

## Authentication types

Expand All @@ -20,7 +20,7 @@ two-factor authentication (2FA) for password logins for all users in
your organization.

When 2FA is required, users can't access any resources in your organization until they
set up 2FA. This only applies to logins using email and password. The Aiven platform
set up 2FA. This only applies to logins using email and password. The Aiven Platform
cannot enforce 2FA for logins through third-party providers, including identity providers.

:::note
Expand Down Expand Up @@ -54,7 +54,7 @@ personal tokens. Non-managed users can still create personal tokens, but they ca
them to access the organization's resources.

To regularly manage your resources programmatically with the Aiven API, CLI,
Terraform Provider, or other applications, it's best to create an
Terraform Provider, or other tools, it's best to create an
[application user](/docs/platform/howto/manage-application-users) with its own tokens.

Personal tokens are generated with the authentication method that the user logged in with.
Expand All @@ -72,6 +72,12 @@ provider, then the token generated when the user was logged in with their passwo
not work. After logging in with an allowed method on the new authentication policy
the user can create a token.

### Access from allowed IP addresses

You can restrict access to your organization's resources by allowing only specific IP
address ranges, ensuring connections are coming from trusted networks. This helps you
minimize exposure, reduce the risk of breaches, and comply with policies and regulations.

## Set an authentication policy

1. In the organization, click **Admin**.
Expand Down
3 changes: 2 additions & 1 deletion docs/platform/howto/support.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,8 @@ the [Aiven Community Forum](https://aiven.io/community/forum/).
## Change your support tier {#upgrade-support-tier}

To change your organization's support tier, you must be an
[organization admin](/docs/platform/concepts/permissions#organization-roles-and-permissions).
[organization admin](/docs/platform/concepts/permissions#organization-roles-and-permissions)
and have at least the Basic support tier.

1. In the organization, click **Admin**.

Expand Down
154 changes: 153 additions & 1 deletion docs/products/caching/howto/upgrade-aiven-for-caching-to-valkey.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,15 @@ The process retains configurations, users, and data without disrupting your serv
- To upgrade using the Aiven API, ensure you have an
[Aiven API token](/docs/platform/howto/create_authentication_token) with the
necessary permissions.
- To upgrade using the
[Aiven Operator for Kubernetes®](https://aiven.github.io/aiven-operator/installation/prerequisites.html),
ensure your version is 0.15.0 or later and you have an
[Aiven API token](/docs/platform/howto/create_authentication_token) with the
necessary permissions.

## What to expect during the upgrade

- **No new service created**: The upgrade changes the type of the existing service.
- **No service disruption**: The upgrade occurs without interruption. The service
is recycled, and the nodes are replaced, but your service continues to
operate during the process.
Expand Down Expand Up @@ -73,7 +79,153 @@ are recycled, and your service continues to operate as the upgrade completes.
"https://api.aiven.io/v1/project/PROJECT_NAME/service/SERVICE_NAME"
```

</TabItem> </Tabs>
</TabItem>
<TabItem value="k8" label="Aiven Operator for Kubernetes®">
:::tip
See
[Aiven Operator for Kubernetes configuration options for Valkey](https://aiven.github.io/aiven-operator/api-reference/valkey.html).
:::

1. [Get authenticated and authorized](https://aiven.github.io/aiven-operator/authentication.html)
to use the Aiven Operator for Kubernetes.

1. Add the deletion policy annotation in the Aiven for Redis manifest.

1. In the manifest file of your Aiven for Redis service, for example `redis-service.yaml`,
add the deletion policy annotation: `controllers.aiven.io/deletion-policy: Orphan`.

```yaml {4,5}
apiVersion: aiven.io/v1alpha1
kind: Redis
metadata:
annotations:
controllers.aiven.io/deletion-policy: Orphan
name: SERVICE_NAME
spec:
project: PROJECT_NAME
cloudName: CLOUD_AND_REGION_NAME
plan: SERVICE_PLAN_NAME
```
1. Update the service by applying the configuration:
```bash
kubectl apply -f redis-service.yaml
```

1. Verify that the annotation has been applied:

```bash
kubectl get redis SERVICE_NAME -o yaml | grep -m 1 Orphan
```

Expected output:

```txt
controllers.aiven.io/deletion-policy: Orphan
```

1. Migrate your Aiven for Redis service in the Aiven API.

Change the service type from `redis` to `valkey` by calling the
[ServiceServiceTypeUpdate](https://api.aiven.io/doc/#tag/Service/operation/ServiceServiceTypeUpdate)
API endpoint, replacing `PROJECT_NAME` and `SERVICE_NAME` with meaningful values.

```bash {4}
curl -X PATCH "https://api.aiven.io/v1/project/PROJECT_NAME/service/SERVICE_NAME/service_type" \
-H "Authorization: Bearer $AIVEN_TOKEN" \
-H "Content-Type: application/json" \
-d '{"service_type": "valkey"}'
```

1. Migrate your Aiven for Redis service in Kubernetes:

1. Copy the content of the Aiven for Redis manifest file (`redis-service.yaml`) to a new
Aiven for Valkey manifest file (`valkey-service.yaml`) with CLI:

```bash
cp redis-service.yaml valkey-service.yaml
```

1. Modify the new Aiven for Valkey manifest file (`valkey-service.yaml`):

- Replace `kind: Redis` with `kind: Valkey`.
- Add the `connInfoSecretTarget` object and the `name` property. Set `name` to the
name of the secret for the new Aiven for Valkey resource.

:::note
By default, the secret for the new Aiven for Valkey resource gets the `VALKEY` prefix.
To keep the `REDIS` prefix, add the `prefix: REDIS` property in the
`connInfoSecretTarget` object.
:::

```yaml {2,10,11,12}
apiVersion: aiven.io/v1alpha1
kind: Valkey
metadata:
name: SERVICE_NAME
spec:
authSecretRef:
name: aiven-token
key: token
connInfoSecretTarget:
name: NEW_VALKEY_SECRET
# prefix: REDIS
```

1. Create the Aiven for Valkey resource by applying the configuration:

```bash
kubectl apply -f valkey-service.yaml
```

1. Verify that the Aiven for Valkey secret has been created:

```bash
kubectl get secrets
```

Expected output:

```txt
NAME TYPE DATA AGE
OLD_REDIS_SECRET Opaque NN HHMMSS
NEW_VALKEY_SECRET Opaque NN HHMMSS
```

1. Update your applications to use the new Aiven for Valkey secret.

1. Delete your Aiven for Redis resource in Kubernetes:

1. Run

```bash
kubectl delete -f redis-service.yaml
```

Expected output:

```txt
redis.aiven.io "SERVICE_NAME" deleted
```

1. Verify that the Aiven for Valkey secret persists and the Aiven for Redis secret is
deleted:

```bash
kubectl get secrets
```

Expected output:

```txt
NAME TYPE DATA AGE
NEW_VALKEY_SECRET Opaque NN HHMMSS
```

</TabItem>
</Tabs>

## Related pages

Expand Down
Loading

0 comments on commit 3bbfce7

Please sign in to comment.