Access Control is how Rancher limits the users who have the access permissions to your Rancher instance. By default, Access Control is not configured. This means anyone who has the IP address of your Rancher instance will be able to use it and access the API. Your Rancher instance is open to the public! We highly recommend configuring Access Control soon after launching Rancher. Upon enabling Access Control, you can share your Rancher instance with whom you wish. They will be required to authenticate to the instance before being able to access it. The API becomes accessible only to those who have the valid API keys to the instance.
The first account that authenticates with Rancher will become the admin of the account. For more information, see permissions of an admin.
In the Admin tab, click Access Control.
After authenticating your Rancher instance, Access Control will be considered enabled. With Access Control enabled, you will be able to manage different environments and share them with different groups of people.
When Access Control is enabled, the API is locked and requires either being authenticated as a user or by using an API key to access it.
Select the Active Directory icon. If you want to use Active Directory using TLS, ensure that you have started Rancher server with the appropriate certificate. Fill in the sections and authenticate Rancher by clicking Authenticate. When Active Directory is enabled, you’ll automatically be logged in as the username that was authenticated. You will also be logged in as an admin of Rancher.
Select the Azure AD icon. Fill in the sections and authenticate Rancher by clicking Authenticate with Azure. When Active Directory is enabled, you’ll automatically be logged in as the username that was authenticated. You will also be logged in as an admin of Rancher.
Select the GitHub icon and follow the directions in the UI to register Rancher as a GitHub application. After clicking Authenticate with GitHub, Access Control is enabled and you are automatically logged into Rancher with your GitHub login credentials and as an admin of Rancher.
Local authentication allows you to create your own set of accounts that is saved in the Rancher database.
Select the Local icon. Create an admin user by providing the Login Username, Full Name, and Password. Click Enable Local Auth to turn on local authentication. By clicking this button, the admin is created and saved in the database. You are automatically logged into the Rancher instance as the admin account that was just created.
Select the OpenLDAP icon. If you want to use a OpenLDAP using TLS, ensure that you have started Rancher server with the appropriate certificate. Fill in the sections and authenticate Rancher by clicking Authenticate. When OpenLDAP is enabled, you’ll automatically be logged in as the username that was authenticated. You will also be logged in as an admin of Rancher.
Select the Shibboleth icon. Fill in the configuration for the Shibboleth account, Save the information and Test that access control is working.
With Shibboleth, there are some known issues that you should be aware of if you are configuring to validate against it.
Depending on your authentication type, Rancher provides different levels of site access.
If you have authenticated with AD or GitHub, there will be 3 options available.
Anyone with the permissions for the Rancher instance will be given user permissions. They will not be able to view the Admin tab. You would explicitly need to change their account to be an admin account.
For Azure AD and OpenLDAP, any user that is a member of your setup will be able to access the Rancher site.
Once local authentication is enabled, the admin can create additional admins/users by accessing the Admin > Accounts tab. Click Add Account and fill in the details of the account you want to add. You can select their account type as an Admin or User. An admin has the ability to view the Admin tab while users of Rancher instance would not have the visibility to the tab.
Once an account has been created, the admin/user can be added to any environments.
The account type determines whether or not an account will have access to the admin tab. For each environment in Rancher, there are membership roles that provide different level of access for a specific environment.
The first user that authenticates Rancher becomes an admin of Rancher. Only admins will have permissions to view the Admin tab.
When managing environment, admins have the ability to view all the environments in Rancher even if the admin is not added as a member to the environment. In an admin’s environment drop-down menu, the members will only see the environments that they are on the membership list.
Admins can add other users to be an admin of Rancher. They can change a user’s role on the Admin > Accounts page after the user has logged into Rancher. In the Admin > Accounts tab, click Edit next to the account name and change the account type to Admin. Click Save.
Besides the user that authenticates Rancher, any other user will automatically be added with user permissions. They will not be able to see the Admin tab.
They will only be able to view the environments that they are members of.
If you decide that you no longer want Access Control, click the Disable access control button. This will make your Rancher instance open to the public and anyone can access your API. This is not recommended.