Impersonate
To test configurations and permissions, Loft provides a feature to impersonate users within the Loft UI and see everything through the eyes of a specific users. This is very useful if you want to check if a user has permissions to access an object.
Enable Impersonation
To enable impersonation, make sure the user has appropriate permissions, only Loft management
admins and users that have the management role Impersonator assigned, can impersonate other users.
- Select the Users field on the left menu bar.
- In the user row you want to impersonate, select Impersonate
- To stop impersonation, either press Logout or click on the Stop Impersonation button at the top.
Example Cluster Access And Impersonation
The following is a very basic example of using impersonation to validate a users access. This is a somewhat contrived example for demonstration purposes! For your production deployments make sure you are taking advantage of Projects when considering your RBAC strategy!
1. Create Test User
Loft lets you connect a variety of SSO providers for authentication but for the sake of simplicity, let's just manually create a user to learn more about Loft's cluster access features:
- Select the Users field on the left menu bar.
- Click the button.
- In the drawer that appears from the right, give your new user a name of Annaby replacing the 'my-user' placeholder name, or by updating the manifest YAML 'metadata. name' field.
- Click on the button.
- Close the popup using the button
Remember: Everything you do in Loft UI, including creating a user, is effectively a kubectl command under the hood. So, everything you do in this guide creates or changes objects in your cluster and you could also manage these actions via kubectl or any kind of GitOps tool.
2. Impersonate User
Loft allows admins with appropriate RBAC permissions to impersonate users. Let's try this to see how Loft UI would look like for our newly created user:
- Select the Users field on the left menu bar.
- Find the user `Anna` in the list of users. Hover over the blue drop down arrow in the Display Name column and click on the button to Impersonate the user.
- In the popup, click on the button to confirm that you want to start impersonation.
- After impersonation has started, go to the Clusters view using the main menu on the left.
- Verify that Anna has no access to any clusters (this user should not see any clusters listed in the Clusters display pane).
You can also use the Loft CLI as the impersonated user, to do this, simply run the following command while the impersonation is active.
loft login localhost:9898 --insecure # or use your loft.domain.tld instead of localhost, and ideally with a valid SSL cert and without the --insecure flag
You can verify the login and print your user information via:
loft login
3. Configure Cluster Access
Let's give our test user Anna access to one of the clusters connected to this Loft instance:
You can connect a variety of SSO providers to Loft. To automatically give users access to clusters based on their SSO user groups, you can switch to the Team Members tab to grant cluster access for each member of a team (e.g. for each member of a group in Active Directory, Okta, SAML, etc.), check out the SSO Group Sync section for more details.
4. Verify Cluster Access
After configuring the cluster access for test user Anna, let's verify that she can access the cluster:
- Select the Users field on the left menu bar.
- Find the user `Anna` in the list of users. Hover over the blue drop down arrow in the Display Name column and click on the button to Impersonate the user.
- In the popup, click on the button to confirm that you want to start impersonation.
- After impersonation has started, go to the Clusters view using the main menu on the left.
- Verify that Anna now has access to the clusters specified in the previous step.
With access to a cluster, users can typically:
Loft allows you to: