With the recent change in Lagoon to move project membership of groups
from Keycloak group annotations into the Lagoon API DB, the
ssh-portal-api can no longer rely on group annotations embedded in user
tokens to extract project-group membership.
Since v0.35.0, ssh-portal-api gets the project membership information
from the Lagoon API DB. But that is stored as group IDs, not group
names. So to map group IDs back to group names the ssh-portal-api now
queries Keycloak for a list of groups (IDs and names).
This new permission allows the service-api client used by ssh-portal-api
to query the Keycloak groups API.
Does this get automatically applied on upgrade? Or do we need to add instructions to the release notes to manually update the permissions for the service account in keycloak?
With the recent change in Lagoon to move project membership of groups from Keycloak group annotations into the Lagoon API DB, the ssh-portal-api can no longer rely on group annotations embedded in user tokens to extract project-group membership.
Since v0.35.0, ssh-portal-api gets the project membership information from the Lagoon API DB. But that is stored as group IDs, not group names. So to map group IDs back to group names the ssh-portal-api now queries Keycloak for a list of groups (IDs and names).
This new permission allows the service-api client used by ssh-portal-api to query the Keycloak groups API.