diff --git a/charts/core/Chart.yaml b/charts/core/Chart.yaml index d04be78..891e6ac 100644 --- a/charts/core/Chart.yaml +++ b/charts/core/Chart.yaml @@ -4,7 +4,7 @@ description: A Helm chart for deploying Unikorn Core type: application -version: v0.1.9 -appVersion: v0.1.9 +version: v0.1.10 +appVersion: v0.1.10 icon: https://assets.unikorn-cloud.org/images/logos/dark-on-light/icon.svg diff --git a/pkg/authorization/oauth2/claims/types.go b/pkg/authorization/oauth2/claims/types.go index 96d813c..14021ee 100644 --- a/pkg/authorization/oauth2/claims/types.go +++ b/pkg/authorization/oauth2/claims/types.go @@ -22,15 +22,53 @@ import ( "github.com/unikorn-cloud/core/pkg/authorization/oauth2/scope" ) +// Role defines the role a user has within the scope of a group. +// +kubebuilder:validation:Enum=superAdmin;admin;user;reader +type Role string + +const ( + // SuperAdmin users can do anything, anywhere, and should be + // restricted to platform operators only. + SuperAdmin = "superAdmin" + // Admin users can do anything within an organization. + Admin Role = "admin" + // Users can do anything within allowed projects. + User Role = "user" + // Readers have read-only access within allowed projects. + Reader Role = "reader" +) + +// Group records RBAC data in the claims. +type Group struct { + // ID is the immutable group ID. + ID string `json:"id"` + // Roles are a list of roles the group possesses. + Roles []Role `json:"roles,omitempty"` +} + +// UnikornClaims contains all application specific claims in a single +// top-level claim that won't clash with the ones defined by IETF. +type UnikornClaims struct { + // Organization is the top level organization the user belongs to. + Organization string `json:"org"` + + // Groups is a list of groups and roles the token has access to. + // Resources should be scoped to some group/groups that the resource + // server can filter based on the access token. Then it can determine + // what operations are allowed based on the roles assigned to those + // groups. + Groups []Group `json:"groups,omitempty"` +} + // Claims is an application specific set of claims. // TODO: this technically isn't conformant to oauth2 in that we don't specify // the client_id claim, and there are probably others. type Claims struct { jwt.Claims `json:",inline"` - // Organization is the top level organization the user belongs to. - Organization string `json:"org"` - // Scope is the oauth2 scope of the token. Scope scope.Scope `json:"scope,omitempty"` + + // Unikorn claims are application specific extensions. + Unikorn *UnikornClaims `json:"unikorn,omitempty"` }