Closed kcbabo closed 1 year ago
Related to https://github.com/solo-io/gloo/issues/7055
As an example, here's what the aud
and iss
claims look like in my local environment:
{
"aud": [
"https://kubernetes.default.svc.cluster.local"
],
"iss": "https://kubernetes.default.svc.cluster.local"
}
Looks like this is done as https://github.com/solo-io/dev-portal/pull/2511 has merged
Background The Admin Portal UI is currently accessed through port-forwarding the
gloo-portal-admin-server
service without authentication or authorization for users in the UI. This issue covers the ability to enable authentication of users in the Portal Admin UI and to perform authorization checks to restrict which Portal resources a user can view/modify through the UI.Authentication The Portal Admin UI should support configuring OIDC as an authentication option for accessing the Portal. When enabled, a login page should be presented in the Portal Admin UI along with a logout function in the menu bar. The IdP used in this OIDC configuration must be the same IdP used in the underlying Kubernetes cluster, which means any user logging in through the Portal Admin UI must be a valid user in the underlying Kubernetes environment. This will require:
aud
andiss
claims for all tokens granted to Portal Admin UI usersapi-audiences
flag in the kube-apiserver to match the values in the claims aboveThe following resources provide additional information: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ https://kubernetes.io/docs/reference/access-authn-authz/authorization/
Authorization Authorization in the Portal Admin UI is driven by Kubernetes RBAC. User access to Portal resources is implemented by defining Roles and RoleBindings in the Kubernetes cluster. The Portal Admin UI defaults to the Gloo Portal controller namespace (e.g.
gloo-portal
) for creating resources, so Role and RoleBinding definitions should be defined for the same namespace. The Role definitions should only provide access to Portal resources that a user can view/modify through the UI.UI Mapping This section details the behavior of UI pages based on associated Role configuration.
Top Nav Menu
list
onportal.gloo.solo.io.Portal
list
onportal.gloo.solo.io.Environment
orportal.gloo.solo.io.APIProduct
orportal.gloo.solo.io.APIDoc
list
onportal.gloo.solo.io.User
orportal.gloo.solo.io.Group
list
onportal.gloo.solo.io.Portal
orportal.gloo.solo.io.Environment
Dashboard (
/
)list
onportal.gloo.solo.io.Portal
list
onportal.gloo.solo.io.Environment
orportal.gloo.solo.io.APIProduct
orportal.gloo.solo.io.APIDoc
list
onportal.gloo.solo.io.User
orportal.gloo.solo.io.Group
Portals (
/portals
)get
onportal.gloo.solo.io.Portal
to show individual Portal cardsget
onportal.gloo.solo.io.Portal
to show individual Portal detailsupdate
onportal.gloo.solo.io.Portal
to edit Portal detailsdelete
onportal.gloo.solo.io.Portal
to delete Portalcreate
onportal.gloo.solo.io.Portal
to create PortalAPIs (
/apis
)get
onportal.gloo.solo.io.Environment
to show individual Environment cardsupdate
onportal.gloo.solo.io.Environment
to edit individual Environment detailsdelete
onportal.gloo.solo.io.Environment
to delete Environmentcreate
onportal.gloo.solo.io.Environment
to create Environmentget
onportal.gloo.solo.io.APIProduct
to show individual API Product cardsupdate
onportal.gloo.solo.io.APIProduct
to edit individual APIProduct detailsdelete
onportal.gloo.solo.io.APIProduct
to delete APIProductcreate
onportal.gloo.solo.io.APIProduct
to create APIProductget
onportal.gloo.solo.io.APIDoc
to show individual API Docs cardsupdate
onportal.gloo.solo.io.APIDoc
to edit individual APIDoc detailsdelete
onportal.gloo.solo.io.APIDoc
to delete APIDoccreate
onportal.gloo.solo.io.APIDoc
to create APIDocget
onportal.gloo.solo.io.Route
to show individual Route cardsupdate
onportal.gloo.solo.io.Route
to edit individual Route detailsdelete
onportal.gloo.solo.io.Route
to delete Routeget
onSecret
to show individual API Key cardsdelete
onSecret
to delete APIProductAccess Control (
/access-control
)get
onportal.gloo.solo.io.User
to show individual User cardsupdate
onportal.gloo.solo.io.User
to edit individual User detailsdelete
onportal.gloo.solo.io.User
to delete Usercreate
onportal.gloo.solo.io.User
to create Userget
onportal.gloo.solo.io.Group
to show individual Group cardsupdate
onportal.gloo.solo.io.Group
to edit individual Group detailsdelete
onportal.gloo.solo.io.Group
to delete Groupcreate
onportal.gloo.solo.io.Group
to create GroupGloo Config (
/gloo-configuration
)get
onportal.gloo.solo.io.Environment
to show VS corresponding to Environmentsget
onportal.gloo.solo.io.Portal
to show VS corresponding to Portals