Open lekhajee opened 10 years ago
lekhajee
commented
9 years ago This is required for MAAS to integrate with mimic as well . bump!
MAAS requires an endpoint in Mimic control plane to set roles for a user. On authenticating such a user the roles set should be returned and implemented.
lekhajee
commented
9 years ago Reach needs this as well. bump!
BenjamenMeyer
commented
8 years ago Cloud Backup needs this, kind of - in that different users may have different permissions so being able to test the different variations would be a good thing.
BenjamenMeyer
commented
8 years ago I finally got the point of being able to try to run Cloud Backup API against Mimic and am running into some roles issues via Repose. Going to debug, and may have some additional PRs on top of my Identity PRs to satisfy. I'm hoping I can get away with just admin roles and something minor is missing that way, though I do know that we support RBAC so some tests may require having users that have limited credentials.
@glyph Roles are broken down into primarily 4 groups: No Access, Observer (View Only), Creator (View, Create, Edit), and Admin (View, Create, Edit, Delete); also operator and service-admin. RBAC can be global (as Mimic now supports) or service specific (f.e object-store:admin).
I'm going to try to figure out why the identity:user-admin role now present isn't working. That should solve most things; we might need to at least do <service>:service-admin on the service accounts.
I'm not familiar enough with RBAC to enumerate all the things that would need to be done to actually "support" this. It seems like a first step would be some way to tell mimic when you authenticate that you are authenticating as a user who isn't an account administrator, otherwise any access control checks might as well not be happening.