Start rbac upgrade to deploy dir (#282)

Author: gbarr01

deploy/access-control/access-control-design-ee-advanced.md

@@ -0,0 +1,142 @@
+---
+title: Access control design with Docker EE Advanced
+description: Learn how to architect multitenancy with Docker Enterprise Edition Advanced.
+keywords: authorize, authentication, users, teams, groups, sync, UCP, role, access control
+redirect_from:
+- /ucp/
+ui_tabs:
+- version: ucp-3.0
+  orhigher: true
+- version: ucp-2.2
+  orlower: true
+---
+
+{% if include.ui %}
+
+
+{% if include.version=="ucp-3.0" %}
+This topic is under construction.
+
+{% elsif include.version=="ucp-2.2" %}
+[Collections and grants](index.md) are strong tools that can be used to control
+access and visibility to resources in UCP.
+
+The previous tutorial, [Access Control Design with Docker EE
+Standard](access-control-design-ee-standard.md), describes a fictional company
+called OrcaBank that has designed a resource access architecture that fits the
+specific security needs of their organization. Be sure to go through this
+tutorial if you have not already before continuing.
+
+In this tutorial, OrcaBank's deployment model adds a staging zone. Instead of
+moving developed applications directly in to production, OrcaBank now deploys
+apps from their dev cluster to staging for testing before deploying to
+production. OrcaBank has very stringent security requirements for production
+applications. Its security team recently read a blog post about DevSecOps and is
+excited to implement some changes. Production applications aren't permitted to
+share any physical infrastructure with non-Production infrastructure.
+
+In this tutorial OrcaBank uses Docker EE Advanced features to segment the
+scheduling and access control of applications across disparate physical
+infrastructure. [Node Access Control](access-control-node.md) with EE Advanced
+licensing allows nodes to be placed in different collections so that resources
+can be scheduled and isolated on disparate physical or virtual hardware
+resources.
+
+## Team access requirements
+
+As in the [Introductory Multitenancy Tutorial](access-control-design-ee-standard.md)
+OrcaBank still has three application teams, `payments`, `mobile`, and `db` that
+need to have varying levels of segmentation between them. Their upcoming Access
+Control redesign will organize their UCP cluster in to two top-level collections,
+Staging and Production, which will be completely separate security zones on
+separate physical infrastructure.
+
+- `security` should have visibility-only access across all
+  applications that are in Production. The security team is not
+  concerned with Staging applications and thus will not have
+  access to Staging
+- `db` should have the full set of operations against all database
+  applications that are in Production. `db` does not manage the
+  databases that are in Staging, which are managed directly by the
+  application teams.
+- `payments` should have the full set of operations to deploy Payments
+  apps in both Production and Staging and also access some of the shared
+  services provided by the `db` team.
+- `mobile` has the same rights as the `payments` team, with respect to the
+  Mobile applications.
+
+## Role composition
+
+OrcaBank will use the same roles as in the Introductory Tutorial. An `ops` role
+will provide them with the ability to deploy, destroy, and view any kind of
+resource. `View Only` will be used by the security team to only view resources
+with no edit rights. `View & Use Networks + Secrets` will be used to access
+shared resources across collection boundaries, such as the `db` services that
+are offered by the `db` collection to the other app teams.
+
+![image](../images/design-access-control-adv-0.png){: .with-border}
+
+
+## Collection architecture
+
+The previous tutorial had separate collections for each application team.
+In this Access Control redesign there will be collections for each zone,
+Staging and Production, and also collections within each zone for the
+individual applications. Another major change is that Docker nodes will be
+segmented themselves so that nodes in Staging are separate from Production
+nodes. Within the Production zone every application will also have their own
+dedicated nodes.
+
+The resulting collection architecture takes the following tree representation:
+
+```
+/
+├── System
+├── Shared
+├── prod
+│   ├── db
+│   ├── mobile
+│   └── payments
+└── staging
+    ├── mobile
+    └── payments
+```
+
+## Grant composition
+
+OrcaBank will now be granting teams diverse roles to different collections.
+Multiple grants per team are required to grant this kind of access. Each of
+the Payments and Mobile applications will have three grants that give them the
+operation to deploy in their production zone, their staging zone, and also the
+ability to share some resources with the `db` collection.
+
+![image](../images/design-access-control-adv-grant-composition.png){: .with-border}
+
+## OrcaBank access architecture
+
+The resulting access architecture provides the appropriate physical segmentation
+between Production and Staging. Applications will be scheduled only on the UCP
+Worker nodes in the collection where the application is placed. The production
+Mobile and Payments applications use shared resources across collection
+boundaries to access the databases in the `/prod/db` collection.
+
+![image](../images/design-access-control-adv-architecture.png){: .with-border}
+
+### DB team
+
+The OrcaBank `db` team is responsible for deploying and managing the full
+lifecycle of the databases that are in Production. They have the full set of
+operations against all database resources.
+
+![image](../images/design-access-control-adv-db.png){: .with-border}
+
+### Mobile team
+
+The `mobile` team is responsible for deploying their full application stack in
+staging. In production they deploy their own applications but utilize the
+databases that are provided by the `db` team.
+
+![image](../images/design-access-control-adv-mobile.png){: .with-border}
+
+{% endif %}
+{% endif %}

deploy/access-control/access-control-design-ee-standard.md

@@ -0,0 +1,135 @@
+---
+title: Access control design with Docker EE Standard
+description: Learn how to architect multitenancy by using Docker Enterprise Edition Advanced.
+keywords: authorize, authentication, users, teams, groups, sync, UCP, role, access control
+redirect_from:
+- /ucp/
+ui_tabs:
+- version: ucp-3.0
+  orhigher: true
+- version: ucp-2.2
+  orlower: true
+---
+
+{% if include.ui %}
+{% if include.version=="ucp-3.0" %}
+This topic is under construction.
+
+{% elsif include.version=="ucp-2.2" %}
+
+[Collections and grants](index.md) are strong tools that can be used to control
+access and visibility to resources in UCP. This tutorial describes a fictitious
+company named OrcaBank that is designing the access architecture for two
+application teams that they have, Payments and Mobile.
+
+This tutorial introduces many concepts include collections, grants, centralized
+LDAP/AD, and also the ability for resources to be shared between different teams
+and across collections.
+
+## Team access requirements
+
+OrcaBank has organized their application teams to specialize more and provide
+shared services to other applications. A `db` team was created just to manage
+the databases that other applications will utilize. Additionally, OrcaBank
+recently read a book about DevOps. They have decided that developers should be
+able to deploy and manage the lifecycle of their own applications.
+
+- `security` should have visibility-only access across all applications in the
+  swarm.
+- `db` should have the full set of capabilities against all database
+  applications and their respective resources.
+- `payments` should have the full set of capabilities to deploy Payments apps
+  and also access some of the shared services provided by the `db` team.
+- `mobile` has the same rights as the `payments` team, with respect to the
+  Mobile applications.
+
+## Role composition
+
+OrcaBank will use a combination of default and custom roles, roles which they
+have created specifically for their use case. They are using the default
+`View Only` role to provide security access to only see but not edit resources.
+There is an `ops` role that they created which can do almost all operations
+against all types of resources.  They also created the
+`View & Use Networks + Secrets` role. This type of role will enable application
+DevOps teams to use shared resources provided by other teams. It will enable
+applications to connect to networks and use secrets that will also be used by
+`db` containers, but not the ability to see or impact the `db` applications
+themselves.
+
+![image](../images/design-access-control-adv-0.png){: .with-border}
+
+## Collection architecture
+
+OrcaBank will also create some collections that fit the organizational structure
+of the company. Since all applications will share the same physical resources,
+all nodes and applications are built in to collections underneath the `/Shared`
+built-in collection.
+
+- `/Shared/payments` hosts all applications and resources for the Payments
+  applications.
+- `/Shared/mobile` hosts all applications and resources for the Mobile
+  applications.
+
+Some other collections will be created to enable the shared `db` applications.
+
+- `/Shared/db` will be a top-level collection for all `db` resources.
+- `/Shared/db/payments` will be specifically for `db` resources providing
+  service to the Payments applications.
+- `/Shared/db/mobile` will do the same for the Mobile applications.
+
+The following grant composition will show that this collection architecture
+allows an app team to access shared `db` resources without providing access
+to _all_ `db` resources. At the same time _all_ `db` resources will be managed
+by a single `db` team.
+
+## LDAP/AD integration
+
+OrcaBank has standardized on LDAP for centralized authentication to help their
+identity team scale across all the platforms they manage. As a result LDAP
+groups will be mapped directly to UCP teams using UCP's native LDAP/AD
+integration. As a result users can be added to or removed from UCP teams via
+LDAP which can be managed centrally by OrcaBank's identity team. The following
+grant composition shows how LDAP groups are mapped to UCP teams .
+
+## Grant composition
+
+Two grants are applied for each application team, allowing each team to fully
+manage their own apps in their collection, but also have limited access against
+networks and secrets within the `db` collection. This kind of grant composition
+provides flexibility to have different roles against different groups of
+resources.
+
+![image](../images/design-access-control-adv-1.png){: .with-border}
+
+## OrcaBank access architecture
+
+The resulting access architecture shows applications connecting across
+collection boundaries. Multiple grants per team allow Mobile applications and
+Databases to connect to the same networks and use the same secrets so they can
+securely connect with each other but through a secure and controlled interface.
+Note that these resources are still deployed across the same group of UCP
+worker nodes. Node segmentation is discussed in the [next tutorial](#).
+
+![image](../images/design-access-control-adv-2.png){: .with-border}
+
+### DB team
+
+The `db` team is responsible for deploying and managing the full lifecycle
+of the databases used by the application teams. They have the full set of
+operations against all database resources.
+
+![image](../images/design-access-control-adv-3.png){: .with-border}
+
+### Mobile team
+
+The `mobile` team is responsible for deploying their own application stack,
+minus the database tier which is managed by the `db` team.
+
+![image](../images/design-access-control-adv-4.png){: .with-border}
+
+## Where to go next
+
+- [Access control design with Docker EE Advanced](access-control-design-ee-advanced.md)
+
+{% endif %}
+{% endif %}

deploy/access-control/access-control-node.md

@@ -0,0 +1,65 @@
+---
+title:  Node access control in Docker EE Advanced
+description: Learn how to architect node access with Docker Enterprise Edition Standard.
+keywords: authorize, authentication, node, UCP, role, access control
+redirect_from:
+- /ucp/
+ui_tabs:
+- version: ucp-3.0
+  orhigher: true
+- version: ucp-2.2
+  orlower: true
+---
+
+{% if include.ui %}
+{% if include.version=="ucp-3.0" %}
+This topic is under construction.
+
+{% elsif include.version=="ucp-2.2" %}
+
+The ability to segment scheduling and visibility by node is called
+*node access control* and is a feature of Docker EE Advanced. By default,
+all nodes that aren't infrastructure nodes (UCP & DTR nodes) belong to a
+built-in collection called `/Shared`. By default, all application workloads
+in the cluster will get scheduled on nodes in the `/Shared` collection. This
+includes users that are deploying in their private collections
+(`/Shared/Private/`) and in any other collections under `/Shared`. This is
+enabled by a built-in grant that grants every UCP user the `scheduler`
+capability against the `/Shared` collection.
+
+Node Access Control works by placing nodes in to custom collections outside of
+`/Shared`. If the `scheduler` capability is granted via a role to a user or
+group of users against a collection then they will be able to schedule
+containers and services on these nodes. In the following example, users with
+`scheduler` capability against `/collection1` will be able to schedule
+applications on those nodes.
+
+Note that in the directory these collections lie outside of the `/Shared`
+collection so users without grants will not have access to these collections
+unless explicitly granted access. These users will only be able to deploy
+applications on the built-in `/Shared` collection nodes.
+
+![image](../images/design-access-control-adv-custom-grant.png){: .with-border}
+
+The tree representation of this collection structure looks like this:
+
+```
+/
+├── Shared
+├── System
+├── collection1
+└── collection2
+    ├── sub-collection1
+    └── sub-collection2
+```
+
+With the use of default collections, users, teams, and organizations can be
+constrained to what nodes and physical infrastructure they are capable of
+deploying on.
+
+## Where to go next
+
+- [Isolate swarm nodes to a specific team](isolate-nodes-between-teams.md)
+
+{% endif %}
+{% endif %}