orange-cloudfoundry / osb-cmdb

A configuration management db for Open Service Broker API broker implementations
Apache License 2.0
14 stars 1 forks source link

Dynamic dashboard permission provisionning #98

Open gberche-orange opened 3 years ago

gberche-orange commented 3 years ago

Expected behavior

As a service broker author

Alternatives for such unified api

The following diagram illustrates option i) : ![image](https://user-images.githubusercontent.com/4748380/109810901-72b70600-7c2a-11eb-87d6-b2fb7b285eb2.png) With: * 10: OIDC user_info flow to get corporate id (CUID in orange). Calls the OIDC endpoint provided by platform in ` X-Api-Info-Location`. See https://github.com/orange-cloudfoundry/osb-cmdb#dashboard-authn-and-authz-support-wip for full details * 12: CF and K8S specific endpoints to fetch user authZ for a service instance. See https://github.com/orange-cloudfoundry/osb-cmdb#dashboard-authz-using-cf-service-instance-permission for full details.
For reference, the following diagram illustrates option ii) : ![image](https://user-images.githubusercontent.com/4748380/108889811-142bcf80-760d-11eb-9d80-e227ba28db77.png)

Observed behavior

Osb-cmdb does not yet support this use-case.

Affected release

Reproduced on version x.y -->

redorff commented 3 years ago

Notes about the schema here above:

gberche-orange commented 3 years ago

following OSB API, step [5] is returning a "dashboard_url". What does CMDB do with it? cmdb stores it and redirects the user to it in step [15]

steps [17] and [18] are showing self calling arrows... what is technically implied there? This is authenticating and authorizing users with the service provider IAM (which was configured with dashboard permission in step [13]

I've updated the issue to favor service bindings

thanks @redorff for the offline feedback you and your team gave me and further design elements we discussed together

gberche-orange commented 3 years ago

Refined README.md doc related to K8S API used in sequence diagram interation 12 in https://github.com/orange-cloudfoundry/osb-cmdb/commit/b118357759ed16b7c8b7e9f40dfb0f255cc6f9bd

The SubjectAccessReview API call would require a service account with a role binding granting create permission for the subjectaccessreviews resource.

While admin accounts typically have this role granted, a service account with only this role would be provisionned instead for osb-cmdb in each K8S client platform

K8S java clients support the SubjectAccessReview endpoints: