Manage Platform resourcesUser access and management

Manage users on Astro Private Cloud

Astro Private Cloud allows you to adjust permissions for each user role and define how new users join your organization.

Use this guide to learn about customizing user signups and user roles, as well as how to use Astro Private Cloud system-level permissions. For a list of the default permissions for each role, see User roles and permissions.

To learn more about managing users through your identity provider (IdP), see Import IdP groups.

Add users to Astronomer

When Astro Private Cloud is first deployed, the first user to log in is granted “System Admin” permissions by default. From there, a user is created on Astro Private Cloud by any of the following:

  • Invitation to a Workspace by a Workspace Admin
  • Invitation to Astronomer by a System Admin
  • Signing up via the Astro Private Cloud UI without an invitation (requires “Public Signups”)
  • Imported to Astronomer through an IdP group

As a System Admin, you can open the platform to public signups, limit account creation to users invited by others, or make it so that users can only join the platform as part of an IdP-based Team.

New users appear under a System Admin’s Users tab only after the new user has successfully logged in for the first time.
You can bypass the email verification process for new users through a Houston API mutation. For the format of this mutation, see Sample Mutations.

Enable public signups

Public signups allow any user with access to your base domain to create an account. If public signups are disabled, users that try to access Astronomer without an invitation from another user will be met with an error.

In cases where SMTP credentials are difficult to acquire, enabling this flag might facilitate initial setup, as disabling public signups requires that a user accept an email invitation. Public signups are a configuration available in Astronomer’s Houston API and can be enabled in the values.yaml file of your Helm chart.

To enable public signups, add the following yaml snippet to your values.yaml file:

1astronomer:
2  houston:
3    config:
4      publicSignups: true
5      emailConfirmation: false # If you wish to also disable other SMTP-dependent features

An example values.yaml file would look like:

1global:
2  baseDomain: mybasedomain
3  tlsSecret: astronomer-tls
4nginx:
5  loadBalancerIP: 0.0.0.0
6  preserveSourceIP: true
7
8astronomer:
9  houston:
10    config:
11      publicSignups: true
12      emailConfirmation: false

Then, push the configuration change to your platform as described in Apply a config change.

System permissions on Astro Private Cloud

The System Admin role grants full permissions across all clusters, Workspaces, and Deployment entities. Users with this role can monitor and take action on Workspaces, Deployments, and users throughout all clusters.

On Astro Private Cloud, System Admins specifically can:

  • Register a data plane
  • List all data planes
  • Manage data plane -wide config
  • De-register a data plane
  • List and search all users.
  • List and search all Deployments.
  • Access the Airflow UI for all Deployments.
  • Delete a user.
  • Delete a Deployment.
  • Access Grafana and Kibana for cluster-level monitoring.
  • Add other System Admins.

In addition to the commonly used System Admin role, the Astro Private Cloud platform also supports both a System Editor and System Viewer permission set.

No user is assigned the System Editor or Viewer Roles by default, but they can be added by System Admins via our API. Once assigned, System Viewers, for example, can access both Grafana and Kibana but don’t have permission to delete a Workspace they’re not a part of.

You can customize all three Astro Private Cloud permission sets to meet your specific requirements. For more information about the default configurations attached to the System Admin, Editor and Viewer Roles, see the Houston API default config.

Assign users System Admin roles

Use the System Admin tab in the Astro Private Cloud UI to add System Admins.

Keep in mind that:

  • Only existing System Admins can grant the System Admin role to another user
  • The user must have a verified email address and already exist in the system
If you’d like to assign a user a different System-Level Role (either SYSTEM_VIEWER or SYSTEM_EDITOR), you’ll have to do so via an API call from your platform’s GraphQL playground. For guidelines, refer to our “Houston API” doc.

Verify System Admin access

To verify a user was successfully granted the System Admin role, ensure they can do the following:

  • Navigate to grafana.BASEDOMAIN
  • Navigate to kibana.BASEDOMAIN
  • Access the ‘System Admin’ tab from the top left menu of the Astro Private Cloud UI

User roles on Astro Private Cloud

Administrators can customize permissions across your installation. On Astro Private Cloud, users can be assigned roles at three levels:

  • Deployment Level (Viewer, Editor, Admin)
  • Workspace Level (Viewer, Editor, Admin)
  • System Level (Viewer, Editor, Admin)
  • Cluster Level (Admin)

Deployment roles apply to a Deployment within a single Workspace. Workspace roles apply to all Airflow Deployments within a single Workspace. Cluster Roles apply to all Workspaces across a single data plane. System Roles apply across all data planes. For more information about the three Workspace-level roles on Astro Private Cloud (Viewer, Editor and Admin), see Manage user permissions on an Astro Private Cloud Workspace.

Customize role permissions

Permissions are defined on Astro Private Cloud as scope.entity.action, where:

  • scope: The layer of our application to which the permission applies
  • entity: The object or role being operated on
  • action: The verb describing the operation being performed on the entity

For example, the deployment.serviceAccounts.create permission translates to the ability for a user to create a Deployment-level service account in any Deployment to which they belong. To view the available platform permissions and default role configurations, see Reference: System permissions.

A permission for a given scope only applies to the parts of the scope where a user has been invited. For example, a user with a role including the workspace.serviceAccounts.get permission can view service accounts only in the Workspaces they belong to.

For a complete list of Astro Private Cloud roles and default permissions, see User roles and permissions.

Role permission inheritance

In addition to their own permissions, roles inherit permissions from other roles.

There are several chains of inheritance in the Astro Private Cloud RBAC system. In the following list, > represents “inherits from”:

  • System Admin > System Editor > System Viewer > User
  • Deployment Admin > Deployment Editor > Deployment Viewer > User
  • Workspace Admin > Workspace Editor > Workspace Viewer > User

Step 1: Identify a permission change

Review the default roles and permissions in the default Houston API configuration and determine the following:

  • What role you want to configure. For example, DEPLOYMENT_EDITOR.
  • What permission(s) you want to add or remove from the role, For example, deployment.images.push.

For example, you might want to block a DEPLOYMENT_EDITOR (and therefore WORKSPACE_EDITOR) from deploying code to all Airflow Deployments within a Workspace and instead limit that action to users assigned the DEPLOYMENT_ADMIN role.

Step 2: Modify your values.yaml file

Apply the role and permission changes to your organization’s values.yaml file. For example:

1astronomer:
2  houston:
3    config:
4      roles:
5        DEPLOYMENT_EDITOR:
6          permissions:
7            deployment.images.push: false

In the same way you can remove permissions from a particular role by setting a permission to :false, you can add permissions to a role at any time by setting a permission to :true.

For example, if you want to allow any DEPLOYMENT_VIEWER (and therefore WORKSPACE_VIEWER) to push code directly to any Airflow Deployment within a Workspace, you’d specify the following:

1astronomer:
2  houston:
3    config:
4      roles:
5        DEPLOYMENT_VIEWER:
6          permissions:
7            deployment.images.push: true

Push the configuration change to your platform. See Apply a config change.

Example customization: Limit Workspace creation

Unless otherwise configured, a user who creates a Workspace on Astro Private Cloud is automatically granted the WORKSPACE_ADMIN role and can create an unlimited number of Airflow Deployments within that Workspace. For organizations looking to more strictly control resources, Astro Private Cloud supports limiting the Workspace creation function through the USER role.

Astro Private Cloud includes a USER role that is synthetically bound to all users within the Control plane. By default, this role includes the system.workspace.create permission.

If you’re a System Admin who wants to limit Workspace creation, you can:

  • Set the system.workspace.create permission for the USER role to false
  • Attach the system.workspace.create permission to a separate role of your choice

You might want limit this permission to the SYSTEM_ADMIN role on the platform, because System Admins can be responsible for managing cluster-level resources and costs. To reassign this permission to System Admins, your values.yaml would appear similar to the following example:

1astronomer:
2  houston:
3    config:
4      roles:
5        SYSTEM_ADMIN:
6          permissions:
7            system.workspace.create: true
8        USER:
9          permissions:
10            system.workspace.create: false