diff --git a/src/vfxt/README.md b/src/vfxt/README.md index b649138e..907a12bf 100644 --- a/src/vfxt/README.md +++ b/src/vfxt/README.md @@ -26,14 +26,14 @@ The following table shows the roles required for each of the avere operations: | Name | Description | Role Required | | --- | --- | --- | - | **Controller (vFXT.py)** | the controller uses vFXT.py to create, destroy, and manage a vFXT cluster | "Avere Contributor" | - | **vFXT** | the vFXT manages Azure resources for new vServers, and in response to HA events | "avere-cluster" | - | **Standalone Administrator** | deploy the VNET, vFXT controller, and vFXT into the same resource group | "[User Access Administrator](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#user-access-administrator)" and "[Contributor](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#contributor)" for the target vFXT resource group | - | **Bring your own VNET Administrator** | deploy vFXT controller, and vFXT into the same resource group but reference the VNET from a different resource group | "[User Access Administrator](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#user-access-administrator)" and "[Contributor](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#contributor)" for the target vFXT resource Group, and "[Virtual Machine Contributor](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor)" and "Avere Contributor" for the VNET resource group| + | **Controller (vFXT.py)** | the controller uses vFXT.py to create, destroy, and manage a vFXT cluster | "[Avere Contributor](https://github.com/Azure/Avere/blob/master/src/vfxt/src/roles/AvereContributor.txt)" where scoped RG is handled by template | + | **vFXT** | the vFXT manages Azure resources for new vServers, and in response to HA events | "[avere-cluster](https://docs.microsoft.com/en-us/azure/avere-vfxt/avere-vfxt-pre-role)" where scoped RG is handled by vFXT.py | + | **Standalone Administrator** | deploy the VNET, vFXT controller, and vFXT into the same resource group | "[User Access Administrator](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#user-access-administrator)" and "[Contributor](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#contributor)" scoped to the target vFXT resource group | + | **Bring your own VNET Administrator** | deploy vFXT controller, and vFXT into the same resource group but reference the VNET from a different resource group | "[User Access Administrator](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#user-access-administrator)" and "[Contributor](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#contributor)" scoped to the target vFXT resource Group, and "[Virtual Machine Contributor](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor)" and "[Avere Contributor](https://github.com/Azure/Avere/blob/master/src/vfxt/src/roles/AvereContributor.txt)" scoped to the VNET resource group| Here are the instructions to create custom Avere Roles: - 1. "avere-cluster" - use instructions from [the Avere documention for runtime role creation](https://docs.microsoft.com/en-us/azure/avere-vfxt/avere-vfxt-pre-role). Microsoft employees use role "Avere Cluster Runtime Operator". - 1. "Avere Contributor" - apply the ["Avere Contributor" role file](src/roles/AvereContributor.txt), using instructions from [the Avere documention for runtime role creation](https://docs.microsoft.com/en-us/azure/avere-vfxt/avere-vfxt-pre-role). Microsoft employees specify role "Avere Cluster Create". + 1. "avere-cluster" - use instructions from [the Avere documention for runtime role creation](https://docs.microsoft.com/en-us/azure/avere-vfxt/avere-vfxt-pre-role). Microsoft employees should specify already defined role "Avere Cluster Runtime Operator". + 1. "Avere Contributor" - apply the ["Avere Contributor" role file](src/roles/AvereContributor.txt), using instructions from [the Avere documentation for runtime role creation](https://docs.microsoft.com/en-us/azure/avere-vfxt/avere-vfxt-pre-role). Microsoft employees should specify already defined role "Avere Cluster Create". There are two deployment modes of the Avere vFXT: standalone and "bring your own VNET". In the standalone case, the deployment deploys the controller and vFXT cluster into a brand new VNET. In the "bring your own VNET" deployment, the controller and vFXT cluster uses ip addresses from an existing vnet subnet. Both of these cases require different role configurations. The following two sections highlight show the strictest scoping to a service principal, but these can be generalized to any user principal.