Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add RBAC to Access Token Claims #10

Merged
merged 1 commit into from
Mar 14, 2024
Merged

Add RBAC to Access Token Claims #10

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions charts/core/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ description: A Helm chart for deploying Unikorn Core

type: application

version: v0.1.9
appVersion: v0.1.9
version: v0.1.10
appVersion: v0.1.10

icon: https://assets.unikorn-cloud.org/images/logos/dark-on-light/icon.svg
44 changes: 41 additions & 3 deletions pkg/authorization/oauth2/claims/types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,15 +22,53 @@ import (
"github.com/unikorn-cloud/core/pkg/authorization/oauth2/scope"
)

// Role defines the role a user has within the scope of a group.
// +kubebuilder:validation:Enum=superAdmin;admin;user;reader
type Role string

const (
// SuperAdmin users can do anything, anywhere, and should be
// restricted to platform operators only.
SuperAdmin = "superAdmin"
// Admin users can do anything within an organization.
Admin Role = "admin"
// Users can do anything within allowed projects.
User Role = "user"
// Readers have read-only access within allowed projects.
Reader Role = "reader"
)

// Group records RBAC data in the claims.
type Group struct {
// ID is the immutable group ID.
ID string `json:"id"`
// Roles are a list of roles the group possesses.
Roles []Role `json:"roles,omitempty"`
}

// UnikornClaims contains all application specific claims in a single
// top-level claim that won't clash with the ones defined by IETF.
type UnikornClaims struct {
// Organization is the top level organization the user belongs to.
Organization string `json:"org"`

// Groups is a list of groups and roles the token has access to.
// Resources should be scoped to some group/groups that the resource
// server can filter based on the access token. Then it can determine
// what operations are allowed based on the roles assigned to those
// groups.
Groups []Group `json:"groups,omitempty"`
}

// Claims is an application specific set of claims.
// TODO: this technically isn't conformant to oauth2 in that we don't specify
// the client_id claim, and there are probably others.
type Claims struct {
jwt.Claims `json:",inline"`

// Organization is the top level organization the user belongs to.
Organization string `json:"org"`

// Scope is the oauth2 scope of the token.
Scope scope.Scope `json:"scope,omitempty"`

// Unikorn claims are application specific extensions.
Unikorn *UnikornClaims `json:"unikorn,omitempty"`
}
Loading