Team Management
New as of 1.2
teams:app-add <team> [<app> ...] # add an app to a team
teams:app-remove <team> [<app> ...] # remove an app from a team
teams:command-add <team> [<command> ...] # allow a team to access access specific command(s)
teams:command-remove <team> [<command> ...] # remove team access to specific command(s)
teams:create <team> # create a team
teams:destroy <team> # destroy a team
teams:list # list all teams
teams:member-add <team> [<user> ...] # add a user to a team
teams:member-remove <team> [<user> ...] # remove a user from a team
teams:owner-add <team> [<user> ...] # add a team owner
teams:owner-remove <team> [<user> ...] # remove a team owner
teams:service-add <team> [<service-type> <service>] # add a service to a team
teams:service-remove <team> [<service-type> <service>] # remove a service from a team
teams:team-report <team> # display a report about a team
teams:whoami # outputs current user
teams:whois <user> # outputs user informaton
Usage
The team
plugin can be used to control user access to specific commands on apps and services. While the core Dokku project has native support for the team plugin, not all community plugins do, and those will need to be updated in order to take advantage of the team system. Please read the plugin development documentation for more information.
The team plugin can also be disabled safely if it is not desired.
How does it work
Dokku Pro's team system is made of the following objects:
- Teams: Teams are groups of users that are granted permissions to perform commands against apps and services.
- Admins: A special team of users that have full access to the entire Dokku system.
- Owners: A team can have one or more owners. Owners can add and remove other owners from teams, as well as adminster team membership. Owners do not have access to commands, apps, or services a member would, but they can grant themselves membership in their own teams in order to do so.
- Members: Team members have access to commands against apps and services granted by teams.
- Commands: Almost all dokku commands can be added or removed from teams, and combining them with apps and services allows users to execute actions in the system.
- Apps: Dokku apps can be added or removed from teams, and are used in combination with the commands assigned to teams in order to limit actions taken in the system.
- Services: Dokku services can be added or removed from teams, and are used in combination with the commands assigned to teams in order to limit actions taken in the system. All official datastore plugins are supported as services by Dokku Pro.
To show how the system might work, here are a few hypothetical teams:
- Team Name: "elevated-access"
- Owners:
camila
- Members:
jose
,michael
- Commands:
*
- Apps:
*
- Services:
*
- Owners:
- Team Name: "restricted-users"
- Owners:
camila
- Members:
eli
,danielle
- Commands:
git-*
,postgres:create
,apps:list
- Apps:
node-js-app
- Services:
- Owners:
- Team Name: "fancy-users"
- Owners:
camila
- Members:
eli
- Commands:
git-*
,apps:*
- Apps:
ruby-app
- Services:
- Owners:
With the above setup, the following holds true:
- Both the
jose
andmichael
users can perform almost every action1 in the system. - The users
eli
anddanielle
can performgit-*
operations for thenode-js-app
app - necessary for deployments - as well as create postgres databases and list thenode-js-app
. - The
eli
user will additionally see theruby-app
in their output, and can also perform git actions as well as any action in theapps:
command-space for theruby-app
.apps:
commands that do not require app access - such as app creation viaapps:create
- will also be available to theeli
user. - Finally, if the users
jose
,michael
, andeli
create apps - as allowed by their list of allowed commands - they become owners of those apps and can perform all app-specific commands against those apps.
Team permissions restrict commands to apps and services, ensuring that users do not escalate permissions to things they shouldn't by being added to groups that have access to non-overlapping resources with a different set of available commands.
Installing the teams plugin
Before usage, the teams plugin must be installed via the following commands:
# make the plugin available for dokku
dokku-pro teams:install
# enable the plugin in dokku
dokku plugin:enable teams
# enable integration with dokku
dokku teams:enable
Warning
As of Dokku Pro 1.2.x, there is a bug in creating cache directories used by the teams plugin. This can be worked around by running mkdir -p /var/lib/dokku/data/teams && chown dokku:dokku /var/lib/dokku/data/teams
as the root
user on your host.
While installing the plugin and enabling it in Dokku exposes cli commands for usage with Dokku, the teams:enable
command must also be triggered in order to:
- setup custom triggers that add/remove teams when apps or services are created
- integrate with the authentication system in Dokku and official Dokku plugins
- setup the initial
dokku@admin
team - create app-specific teams (without any initial users or owners) for each existing app
Note
The "doku@admin" team is a special team that grants access to all commands for all apps and services. When teams:enable
is triggered for the first time, all existing users - as specified by the ssh-keys
plugin - will be migrated into the dokku@admin
team if the team does not exist. Users added via the initial web ui will also be added to the dokku@admin
group. Permissions for the dokku@admin
team cannot be changed.
Checking the currently logged in user
Note
Users will always be able to check who they are via the teams:whoami
command.
The teams:whoami
command can be used to get information about the current user. This will include the user's name as well as all teams they are currently associated with.
=====> root user information
User app membership:
User app ownership:
User is global admin: true
User membership: elevated-access
User ownership: elevated-access
User service membership:
User service ownership:
Username: root
A single field can be shown using the corresponding flag:
# show only the username
dokku teams:whoami --username
# show only the user membership, space-delimited
dokku teams:whoami --user-membership
Finally, the output can be shown in json. Note that the membership and ownership values will be a single string, space-delimited, rather than an array.
Checking a specific user
Note
This command can only be performed if the specified user is the current user or by a global admin.
The teams:whois
command can be used to get information about a given user. This will include the user's name as well as all teams they are currently associated with.
=====> root user information
User app membership:
User app ownership:
User is global admin: true
User membership: elevated-access
User ownership: elevated-access
User service membership:
User service ownership:
Username: root
Users that do not exist will not error, but their permissions will also be empty.
A single field can be shown using the corresponding flag:
# show only the username
dokku teams:whois root --username
# show only the user membership, space-delimited
dokku teams:whois root --user-membership
Finally, the output can be shown in json. Note that the membership and ownership values will be a single string, space-delimited, rather than an array.
Listing teams
Teams can be listed using the teams:list
command. This will only include teams the currently logged in user is has access to. For non-owners, this will include only those teams they are part of.
Logged in admins will see all teams that are available on the server, whether or not they are part of the team.
Creating teams
Note: There are a few special team types:
dokku@admin
: Global admin usersdokku@app--${APP}
: Managed automatically on a per-app basis.dokku@service--${SERVICE_TYPE}-${SERVICE}
: Managed automatically on a per-service basis.Custom team names must therefore not include the prefix
dokku@
.
A team can be created by user in the admin
group via the teams:create
command.
The user that created the team will be set as the team's owner.
Destroying teams
A team can be destroyed by either an admin or a team owner via the teams:destroy
command.
! WARNING: Potentially Destructive Action
! This command will destroy the team elevated-access.
! To proceed, type "elevated-access"
> elevated-access
Destroying elevated-access
Attempting to destroy a team that does not exist or where the current user does not have access to that team will result in an error.
Team Management
Adding owners to a team
Admins and team owners can administrate permissions and membership for a given team. To add new owners, use the teams:owners-add
command.
Removing owners from a team
Admins and team owners can remove owners via the teams:owners-remove
command.
Teams must have at least one admin. Attempting to remove all admins will result in an error.
Adding a user to a team
Adding a user to a team via the teams:member-add
command will allow that user to access anything allowed to that team.
Users can be a part of multiple teams, allowing overlapping permissions to enhance the access a particular user has.
Removing a user from a team
Removing a user from a team via the teams:user-remove
command will remove access to anything not covered by other team permissions
Command Management
Commands must be whitelisted before a team can run the command. Attempting to execute a command that is not whitelisted will result in an error.
Admin Only commands
For security reasons, the following commands may only be performed by an admin. Changes to this list is subject to updates as Dokku and Dokku Pro change over time.
- domains:add-global
- domains:clear-global
- domains:remove-global
- domains:set-global
- events
- events:list
- events:off
- events:on
- git:allow-host
- git:auth
- logs:vector-start
- logs:vector-stop
- network:create
- network:destroy
- network:exists
- network:info
- network:list
- network:rebuildall
- shell
- trace:on
Additionally, any command invocation with the --global
flag will only be executable by an admin.
Allowing access to specific commands
Note
Only admins can add commands to a team.
Command access can be granted to teams by utilizing the teams:commands-add
command.
Commands can also be globbed via the *
operator. If specified, the entry is taken as a POSIX regex for command matching. This can be used to whitelist all commands or even a subset for a given plugin.
If a team does not have commands added, then members of the team will not be allowed to perform any commands on an app or service, regardless of other permissions.
Removing access to specific commands
If a command was previously added to a team, it can be removed via the teams:commands-remove
command.
Commands are taken as a literal string when matching against any commands currently associated with a team.
App Access
By default, teams do not have access to specific apps. Any command that acts upon an app will not be executable, and will throw an opaque error - meaning, it will not indicate if the app exists or not - if the app has not been added to a specific team.
Allowing access to specific apps
Note
Only admins can add apps to a team.
Apps can be added to specific teams via the teams:app-add
command.
Non-existent apps can be specified for the teams:app-add
command. This allows the ability to pre-configure permissions for teams prior to the initial setup of an app. As a result, app permissions are not removed from teams when an app is deleted. Permissions do, however, persist through clones and renames.
Finally, the special *
operator can be used to add access to all apps. This is not treated as a regex, and will override any other apps currently attached to a team.
Removing access to specific apps
Apps can be removed from specific teams via the teams:app-remove
command.
Finally, the special *
operator can also be removed from a given team.
Service Access
Service plugins can also take advantage of the team system. Services do not need to be whitelisted in Dokku core, and simply need to use the appropriate service "namespace" for access control. See the plugin development documentation for more details.
If the service plugin supports the team system and a user does not have access to the service, an opaque error message - meaning, it will not indiciate if the service exists or not - will be returned.
Allowing access to a service
Note
Only admins can add services to a team.
A service can be added to a team via the teams:service-add
command. This takes a "service-type" and the name of a service.
Non-existent services can be specified for the teams:service-add
command. This allows the ability to pre-configure permissions for teams prior to the initial setup of a service. As a result, service permissions are not removed from teams when a service is deleted.
All services within a service-type can be allowed access via the *
operator. This is not treated as a regex, and thus cannot be combined with other characters. Note that adding the *
operator to a team will override any other services of that service type currently attached to a team.
Finally, all services for all service types can be whitelisted by specifying only a *
operator for the service-type argument. This is not treated as a regex, and thus cannot be combined with other characters. Note that adding the *
operator to a team will override any other service settings associated with a team.
Removing access to a service
A service can be added to a team via the teams:service-remove
command. This takes a "service-type" and the name of a service.
The *
operator can also be removed from a team in the same way it was added to the team.
Displaying reports for a team
Global admins can get a report about a specific team using the teams:team-report
command:
=====> dokku@admin team information
Team apps:
Team commands:
Team is internal: true
Team is internal app team: false
Team is internal service team: false
Team members:
Team name: dokku@admin
Team owners: admin1 default
Team services:
You can pass flags which will output only the value of the specific information you want. For example:
Integrating custom plugins
A plugin that wishes to implement the team system can trigger any of the following plugin triggers:
plugn trigger user-auth SSH_USER SSH_NAME COMMAND
: Exits with an error message if the user does not have access to the command. This is used for commands that do not interact with a specific app or service.plugn trigger user-auth-app SSH_USER SSH_NAME APP
: Exits with an opaque error message if the user does not have access to the app.plugn trigger user-auth-service SSH_USER SSH_NAME SERVICE_TYPE SERVICE_NAME
: Exits with an opaque error message if the user does not have access to the service.
Each plugin will need to implement these triggers before any logic is executed. Plugins should avoid calling the dokku
binary directly, as there is no guarantee that a command will be available to a user, and thus commands that mutate state may partially fail.
The following triggers are already implemented in Dokku core:
user-auth
: Implemented within the dokku binary itself.user-auth-app
: Implemented by any plugin that callscommon.DokkuApps()
(golang) ordokku_apps
(shell)
-
As denoted in the
Admin Only commands
section, some commands require global administrative access in order to be performed by users. ↩