Role & Permission Matrix¶
Version 1.0 | Classification: CONFIDENTIAL — Internal Use Only
On-Premises Roles¶
| Role | Account | Servers | Access Level | Permitted Actions |
|---|---|---|---|---|
| DNS/DHCP Admin | dnsadmin |
SKY, RAIN | sudo | BIND, ISC DHCP, zone files, DNSSEC, firewalld, backups |
| Monitoring Admin | monitadmin |
SUN, WIND | sudo | Prometheus, Grafana, Elasticsearch, Logstash, Kibana, backups |
| Read-Only Observer | (none currently) | Any | SSH, no sudo | Log review via Kibana; no config changes |
| Emergency Root | root (console only) | Any | Full | ESXi console access only; no SSH root |
GCP Roles¶
| Role | Identity | GCP IAM Role | Scope |
|---|---|---|---|
| IT Admin | rajesh.chhetry@greenpeace.us | Owner | Full project gpus-infra |
| Cloud Run Viewer | (future Okta integration) | roles/run.viewer | Status + MkDocs services |
| Storage Admin | Service account | roles/storage.admin | Backup bucket only |
Service Account Summary¶
| Account | Server | Shell | Purpose |
|---|---|---|---|
| named | SKY, RAIN | /sbin/nologin | BIND DNS process |
| dhcpd | SKY, RAIN | /sbin/nologin | ISC DHCP process |
| prometheus | SUN | /sbin/nologin | Prometheus metrics scraper |
| grafana | SUN | /sbin/nologin | Grafana dashboard server |
| elasticsearch | WIND | /sbin/nologin | Elasticsearch indexer |
| logstash | WIND | /sbin/nologin | Log ingestion pipeline |
| kibana | WIND | /sbin/nologin | Kibana dashboard server |
All service accounts use nologin shell and have no SSH keys configured.
Management Interface Access¶
| Interface | URL | Authorized Roles | Auth Method |
|---|---|---|---|
| SKY Webmin | https://192.168.124.1:10000 | dnsadmin | Local password (TLS) |
| RAIN Webmin | https://192.168.124.2:10000 | dnsadmin | Local password (TLS) |
| SUN Webmin | https://192.168.124.3:10000 | monitadmin | Local password (TLS) |
| WIND Webmin | https://192.168.124.4:10000 | monitadmin | Local password (TLS) |
| Prometheus | http://192.168.124.3:9090 | monitadmin (network-restricted) | None (network control) |
| Grafana | http://192.168.124.3:3000 | grafana_admin | Local password |
| Kibana | http://192.168.124.4:5601 | monitadmin (network-restricted) | None (network control) |
| GCP Console | https://console.cloud.google.com | IT Admin | Google SSO + MFA |
Management network only
All Webmin, Grafana, Kibana, and Prometheus interfaces are accessible from the management network (192.168.124.0/24) only. They are not reachable from the production network or internet.
Roles · v1.1 · 2026-03-14 · GPUS-IT · Classification: CONFIDENTIAL — Internal Use Only