Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bearer token #27

Merged
merged 1 commit into from
Oct 12, 2024
Merged

Bearer token #27

merged 1 commit into from
Oct 12, 2024

Conversation

gianlucam76
Copy link
Member

Each API expects bearer token to be present in the authorization header in the form

Authorization: Bearer <token>

Each request will:

  1. Get token from authorization header
  2. Validate the token by querying the ServerVersion
  3. Get user from token

At this point behavior is different from query to query:

  1. queries to fetch SveltosClusters or CAPI Clusters will first verify if user has permissions to list cluster instances in all namespaces. If so data cached by the manager is returned.
    If not, walk all existing clusters and for each cluster validate whether user is allowed to get it. Return only clusters the user has permissions for.

  2. queries to get helm charts/resources/profiles for a given cluster will first verify whether the user has permission to get that specific cluster. Only if permissions are in place, result will be returned.

@gianlucam76 gianlucam76 force-pushed the token branch 2 times, most recently from 839f491 to 138295f Compare October 12, 2024 07:03
Each API expects bearer token to be present in the authorization header
in the form

```
Authorization: Bearer <token>
```

Each request will:
1. Get token from authorization header
2. Validate the token by querying the ServerVersion
3. Get user from token

At this point behavior is different from query to query:

1. queries to fetch SveltosClusters or CAPI Clusters will first verify
if user has permissions to list cluster instances in all namespaces. If
so data cached by the manager is returned.
If not, walk all existing clusters and for each cluster validate whether
user is allowed to get it. Return only clusters the user has permissions for.

2. queries to get helm charts/resources/profiles for a given cluster
will first verify whether the user has permission to get that specific cluster.
Only if permissions are in place, result will be returned.
@gianlucam76 gianlucam76 merged commit 0847d21 into projectsveltos:main Oct 12, 2024
2 checks passed
@gianlucam76 gianlucam76 deleted the token branch October 12, 2024 08:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant