Entitlement Prerequisites
This page describes what you need to have in place before managing entitlements.
Entitlements are managed through the kdb Insights Enterprise CLI using the entitlement command.
Before managing entitlements, ensure the following is in place:
-
The latest kdb Insights Enterprise CLI is installed.
-
You have a running instance of kdb Insights Enterprise.
-
You can authenticate using a service or user account with one of the following roles:
-
The
insights.entitlements.editrole, which is included in theMaintainerpre-configured high-level role.Note
You are allowed to edit only the entitlements of entities you own.
-
The
insights.entitlements.adminrole, which is included in theAdministratorpre-configured high-level role.Note
You are allowed to edit the entitlements of all entities.
-
-
Entitlements are enforced
-
Encryption in transit is turned on for additional security.
Enforce entitlements
By default Entitlements are not enforced, allowing all users to view and interact with all packages, and query all data from deployed databases, in a kdb Insights Enterprise instance.
Users with deployment access to the cluster and with the Administrator role can enforce entitlements in one of two ways:
-
Add the
--enable-entitlementsoption tothe kxi installcommand, OR -
Update the deployment values
Add the --enable-entitlements option to the kxi install command
Run one of the following commands:
-
on a new deployment—
kxi install run --enable-entitlements -
on an upgrade—
kxi install upgrade --enable-entitlements
Update the deployment values
-
Edit the values.yaml file as outlined in the tabs below for the Standard and Shared Keycloak deployments.
Warning
The values below are a partial extract of your deployment values. These must be merged with your existing values file.
For more information, refer to Applying configuration changes.
Standard Deployment
Shared Keycloak
A standard deployment deploys Keycloak as part of the application. If you're using this configuration, you should ensure your values file includes the details shown below.
The names
kxi-keycloakandkxi-postgresqlare the default values; update these as appropriate.YAML
Copyglobal:
entitlements:
enabled: true
keycloak:
auth:
existingSecret: kxi-keycloak
cnpg:
auth:
existingSecret: kxi-postgresql
..
keycloak:
auth:
existingSecret: kxi-keycloak
postgresql:
auth:
existingSecret: kxi-postgresql
..Warning
Please note there are two sets of
keycloakandpostgresobjects;global.keycloak,global.postgresql,keycloak,keycloak.postgresql.Both sets of these are required as shown above.
If deploying using the shared Keycloak mode, configure the values file as below. Ensure the
kxi-ent-srv.externalDatabase.hostvalue points to the Kubernetes service for the Postgresql database deployed with the shared Keycloak instance.The
KEYCLOAK_RELEASE_NAMEandKEYCLOAK_NAMESPACEvariables should be updated to match those of your Keycloak deployment. The shared Keycloak docs explain each of these values.YAML
Copyglobal:
entitlements:
enabled: true
keycloak:
authURL: http://${KEYCLOAK_RELEASE_NAME}.${KEYCLOAK_NAMESPACE}.svc.cluster.local/auth/
auth:
existingSecret: kxi-keycloak
cnpg:
auth:
existingSecret: kxi-postgresql
..
kxi-ent-srv:
enabled: true
externalDatabase:
host: ${KEYCLOAK_RELEASE_NAME}-postgresql.${KEYCLOAK_NAMESPACE}.svc.cluster.local -
Run the upgrade command with
$INSIGHTS_VERSIONset to your target application version.bash
Copykxi install upgrade --filepath values.yaml --version $INSIGHTS_VERSION
Add users to groups
Entitlements are configured at a group level, not per individual users. Therefore, before defining any entitlements, you must:
-
Create the necessary groups.
-
Add users and service accounts to those groups.
Refer to Data Entitlements Quickstart for information about setting up groups, users, and service accounts.
Next steps
Provide entitlements to user groups using the following guides:
-
Configuration details