kobs icon indicating copy to clipboard operation
kobs copied to clipboard
verified publisher icon kobsio

[applications] applications with user/team authorization

Open nebula-projects opened this issue 3 years ago • 1 comments

Is your feature request related to a problem? Please describe

I like the idea of applications which is the start of application-centric approach. I succeed to login kobs with authentication enabled via keycloak provider. However, it seems that the logged in user can view/access all the applications filtered by cluster and namespace but not by the team which the user belongs to.

A team defined in the application cr.

apiVersion: kobs.io/v1
kind: Application
metadata:
  name: reviews
  namespace: bookinfo
spec:
   ...
  teams:
  - name: not-existing
    namespace: kobs
    cluster: kobs
  ...

teamCluster, teamNamespace and teamName in the following code snippet are always nil. If I'm not mistaken, they could be used to filter the applications.

applications.go

func (router *Router) getApplications(w http.ResponseWriter, r *http.Request) {
	clusterNames := r.URL.Query()["cluster"]
	namespaces := r.URL.Query()["namespace"]
	tagsList := r.URL.Query()["tag"]
	view := r.URL.Query().Get("view")
	teamCluster := r.URL.Query().Get("teamCluster")
	teamNamespace := r.URL.Query().Get("teamNamespace")
	teamName := r.URL.Query().Get("teamName")

Describe the solution you'd like

The logged in user can only view/access the applications owned by his/her team.

nebula-projects avatar Feb 10 '22 10:02 nebula-projects

Hi @nebula-projects you are right, currently the teamCluster, teamNamespace and teamName parameters are only used, when the applications plugin is used in a dashboard https://kobs.io/main/plugins/applications/#team.

I like the idea of restricting the applications which can be viewed by a user based on his permissions. I will have a look it this in the following days, how we can implement this.

Currently I see two options for the implementation (my preferred one would be the second one):

  1. We can add a new global setting to restrict access to applications.
  2. We can add it to the permissions section of the User / Team CR, so that we can still add exceptions for some users like cluster admins.

Notes regarding option 2

  • In the following example all users which are part of team1 would have access to all applications and all users which are part of team2 can only access the applications which have their teams added.
---
apiVersion: kobs.io/v1
kind: Team
metadata:
  name: team1
spec:
  id: [email protected]
  permissions:
    plugins:
      - name: applications
        permissions:
          - 'all'

---
apiVersion: kobs.io/v1
kind: Team
metadata:
  name: team2
spec:
  id: [email protected]
  permissions:
    plugins:
      - name: applications
        permissions:
          - 'team'
  • Another options would be to restrict the access to applications in the User / Team CR based on the cluster/namespace, but somehow this doesn't feel right for me and seems like we would not take advantage of the existing connection.

ricoberger avatar Feb 13 '22 22:02 ricoberger