Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[applications] applications with user/team authorization #306

Open
nebula-projects opened this issue Feb 10, 2022 · 1 comment
Open

[applications] applications with user/team authorization #306

nebula-projects opened this issue Feb 10, 2022 · 1 comment
Labels
enhancement New feature or request

Comments

@nebula-projects
Copy link

Is your feature request related to a problem? Please describe

I like the idea of applications which is the start of application-centric approach. I succeed to login kobs with authentication enabled via keycloak provider. However, it seems that the logged in user can view/access all the applications filtered by cluster and namespace but not by the team which the user belongs to.

A team defined in the application cr.

apiVersion: kobs.io/v1
kind: Application
metadata:
  name: reviews
  namespace: bookinfo
spec:
   ...
  teams:
  - name: not-existing
    namespace: kobs
    cluster: kobs
  ...

teamCluster, teamNamespace and teamName in the following code snippet are always nil. If I'm not mistaken, they could be used to filter the applications.

applications.go

func (router *Router) getApplications(w http.ResponseWriter, r *http.Request) {
	clusterNames := r.URL.Query()["cluster"]
	namespaces := r.URL.Query()["namespace"]
	tagsList := r.URL.Query()["tag"]
	view := r.URL.Query().Get("view")
	teamCluster := r.URL.Query().Get("teamCluster")
	teamNamespace := r.URL.Query().Get("teamNamespace")
	teamName := r.URL.Query().Get("teamName")

Describe the solution you'd like

The logged in user can only view/access the applications owned by his/her team.

@nebula-projects nebula-projects added the enhancement New feature or request label Feb 10, 2022
@nebula-projects nebula-projects changed the title [applications] [applications] applications with user/team authorization Feb 10, 2022
@ricoberger
Copy link
Member

ricoberger commented Feb 13, 2022

Hi @nebula-projects you are right, currently the teamCluster, teamNamespace and teamName parameters are only used, when the applications plugin is used in a dashboard https://kobs.io/main/plugins/applications/#team.

I like the idea of restricting the applications which can be viewed by a user based on his permissions. I will have a look it this in the following days, how we can implement this.

Currently I see two options for the implementation (my preferred one would be the second one):

  1. We can add a new global setting to restrict access to applications.
  2. We can add it to the permissions section of the User / Team CR, so that we can still add exceptions for some users like cluster admins.

Notes regarding option 2

  • In the following example all users which are part of team1 would have access to all applications and all users which are part of team2 can only access the applications which have their teams added.
---
apiVersion: kobs.io/v1
kind: Team
metadata:
  name: team1
spec:
  id: team1@kobs.io
  permissions:
    plugins:
      - name: applications
        permissions:
          - 'all'

---
apiVersion: kobs.io/v1
kind: Team
metadata:
  name: team2
spec:
  id: team2@kobs.io
  permissions:
    plugins:
      - name: applications
        permissions:
          - 'team'
  • Another options would be to restrict the access to applications in the User / Team CR based on the cluster/namespace, but somehow this doesn't feel right for me and seems like we would not take advantage of the existing connection.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants