search

canonical / identity-platform-admin-ui

Admin UI for the Canonical identity broker and identity provider solution
Other
6 stars 4 forks source link

Document OpenFGA setup and seeding #253

Closed shipperizer closed 6 months ago

shipperizer commented 6 months ago

create a wiki page or a README section dumping all the information needed to setup and seed OpenFGA with valid data useable by the Groups and Roles API

use the draft below and enhance/make prettier

fetch MODEL_ID and STORE_ID from openfga server (the one running inside k8s should be perfect, if u have it running on docker fine as well), the following will pick the latest model from the first store (hopefully u dont have any more than that)

STORE_ID=$(fga --api-url http://127.0.0.1:8080 store list | jq '.stores[0].id' -r)                                                                         
MODEL_ID=$(fga --api-url http://127.0.0.1:8080 model list --store-id $STORE_ID | jq '.authorization_models[0].id' -r)

populate the model with data

fga --api-url http://127.0.0.1:8080 tuple write --model-id $MODEL_ID --store-id $STORE_ID --file openfga-tuples.yml

where openfga-tuples.yaml is 


# tuples
- object: privileged:superuser
  user: user:johndoe
  relation: admin
- object: privileged:superuser
  user: user:shipperizer
  relation: admin
- object: role:administrator
  user: privileged:superuser
  relation: privileged
- object: role:administrator
  user: user:joe
  relation: assignee
- object: group:c-level
  user: user:joe
  relation: member
- object: group:c-level
  user: privileged:superuser
  relation: privileged
- object: identity:user-1
  user: privileged:superuser
  relation: privileged
- object: identity:user-2
  user: privileged:superuser
  relation: privileged
- object: scheme:identity-social
  user: privileged:superuser
  relation: privileged
- object: client:github-canonical
  user: privileged:superuser
  relation: privileged
- object: identity:user-1
  user: user:joe
  relation: can_delete
- object: client:github-canonical
  user: role:administrator#assignee
  relation: can_view
- object: client:okta
  user: role:administrator#assignee
  relation: can_delete
- object: client:github-canonical
  user: group:c-level#member
  relation: can_edit
- object: client:okta
  user: group:c-level#member
  relation: can_delete  
- object: client:okta
  user: group:c-level#member
  relation: can_view  
- object: client:okta
  user: group:c-level#member
  relation: can_edit    
- object: role:administrator
  user: group:c-level#member
  relation: assignee
- object: role:janitor
  user: group:c-level#member
  relation: assignee
#### global view  
- user: user:*
  relation: can_view
  object: provider:global
- user: user:*
  relation: can_view
  object: role:global
- user: user:*
  relation: can_view
  object: group:global
- user: user:*
  relation: can_view
  object: client:global
- user: user:*
  relation: can_view
  object: identity:global
- user: user:*
  relation: can_view
  object: scheme:global

in terms of API (rudimentary) authorization this 

- object: privileged:superuser
  user: user:shipperizer
  relation: admin

is what enables to get the full list of roles and groups as an admin user, what u do on the API is to set X-Authorization to a base64 encoded of the string "huw" or , no need for "user:"


shipperizer in ~/shipperizer/identity-platform-admin-ui on IAM-726 ● λ echo -n shipperizer | base64     
c2hpcHBlcml6ZXI=

PRIVILEGED_USER=c2hpcHBlcml6ZXI=
http :8000/api/v0/roles X-Authorization:$PRIVILEGED_USER
---
syncronize-issues-to-jira[bot] commented 6 months ago

Thank you for reporting us your feedback!

The internal ticket has been created: https://warthogs.atlassian.net/browse/IAM-781.

This message was autogenerated

shipperizer commented 6 months ago

sorted with https://github.com/canonical/identity-platform-admin-ui/wiki/OpenFGA-setup