legacy-onyxia-entrypoint
legacy-onyxia-entrypoint copied to clipboard
InseeFrLab
[Feature Request] Handle region-specific configurations to inject jwt token in services
We could add some region configuration to let the onyxia administrator choose in the region if some jwt that onyxia ui collect could be injected in the helm charts exposed as a service in the catalog.
For instance:
- jwt.kubernetes,
- jwt.onyxia,
- jwt.minio,
- jwt.atlas,
- jwt.generique for a generique client in the same realm at least.
This is a first proposal that could be discussed.
[Feature Amelioration] The jwt are currently in the json payload of the PUT request when the user ask to launch a service over https. It could be good for a long run like this but for more security as jwt could be a sensitive information we could think about some feature ameliration. For instance : the jwt could be sign with a public key exposed by onyxia and the onyxia-api could own the private key to decript the jwt.
Is this feature group ready or should it be allowed only in personnal workspace.
Indeed, if :
- userA and userB are in the same group (same namespace)
- userA launch a shared service with injection of some of his jwts.
- userB could collect the jwts of userA by connecting to the containers in the group.
Is this beyond of the scope to onyxia to have a control on this?