Orka 3.0: Understanding the New User Management System
Orka 3.0 user management has been completely overhauled to meet the needs of our enterprise customers worldwide. In this article we'll focus on the new user management system in Orka 3.0, including how it works and what problems it solves.
The recently released virtualization platform for macOS, Orka 3.0, brings many updated features, including a new and improved way to manage users. The MacStadium team has listened to our customers and made huge leaps in the development of this feature when compared to earlier versions of Orka.
The Challenges Faced in Orka 2.x
Orka has come a long way from its initial release. We continue to push the boundaries and improve Orka with each update to ensure ease of use and excellent value from our solutions. In older versions of Orka, there were many challenges relating to user management, including:
- A custom-built system that was hard to extend and maintain.
- Limiting users to only one cluster. Customers were not able to reuse users across multiple clusters.
- No admin users. Everyone with a special license key was able to run admin operations, limiting the security of the system.
- User tokens did not expire. The only way to invalidate tokens was to revoke them.
- Users had to use their own credentials in integrations such as Jenkins.
- No distinct roles or permissions to assign to different types of users, limiting or extending access based on their needs.
Enter Orka 3.0
Orka 3.0 solves the user management challenges from prior versions, by introducing a centralized user management system that relies on the standard authorization and authentication flow in Kubernetes, which is more familiar to our DevOps teams.
With this new management system, the authentication is moved outside the Orka cluster and is managed in the MacStadium Portal. Authorization, on the other hand, is done using RBAC inside the cluster itself.
This new structure paves the way for future features and upgrades to the Orka user management process. (For example, RBAC could be exposed so users have more granular control over permissions in the future.)
In Orka 3.0, users are added and removed through the MacStadium Portal. Each user must be invited to your MacStadium Portal account so that they may be assigned the proper access level:
Admin - Gives users admin permissions inside the Portal and the Orka cluster. This category is typically for the DevOps team and users responsible for managing access and grouping permissions in the cluster.
Tech - Gives users tech permissions inside the Portal and provides standard dev (non-admin) permissions in the Orka cluster. This category typically includes standard dev users.
Billing - Does not provide permissions to the Orka cluster and is reserved for users who will not have access to the platform, such as billing or account managers.
Orka Cluster Login
Once a user has been added to your MacStadium Portal account and assigned an Orka role, they can use the new Orka CLI (orka3) to login to the Orka cluster. To do that, users need to:
1. Connect to the VPN providing access to the cluster
2. Set up the orka3 CLI and run the login command:
3. Use the Portal credentials to log in to the system
Once logged in, users are provided with a JWT token that expires after 60 minutes.
Orka 3.0 leverages Kubernetes Service Accounts so that integrations can be setup with their own credentials and users no longer have to use their own credentials to manage integrations. Eliminate the need to maintain old logins attached to an integrated service or restore integrations when a team member changes.
When setting up an integration that requires Orka credentials, users can create a new Service Account and use its token instead.
For example, to do this with Jenkins, run the following commands:
This will create a new Service Account called “sa-jenkins” and will generate a token that can be used to authenticate integrations. The token is valid for 1 year by default. This duration can be changed during its creation like this:
Once the service account is deleted, all its tokens are automatically invalidated.
Orka 3.0 does not provide direct access to RBAC (yet!), but it does allow admins to manage subjects in well-known RoleBindings, which provide access to different namespaces. We’ll cover how to manage namespaces and these RoleBindings in a future article. Stay tuned!
With the rollout of a centralized user management system in Orka 3.0, users have a streamlined experience in the MacStadium Portal.
Want to see more features of Orka 3.0? Check out our Orka 3.0 overview!