willie68
commented
2 years ago implemented.
Closed willie68 closed 2 years ago
willie68
commented
2 years ago implemented.
willie68
commented
2 years ago In the blob storage system there are some small roles for the different parts of the blob storage service. Roles can only be used with JWT and role mapping activated. You can deactivate the role checking, if you left the roleClaim property empty.
| Role name | What the user with this role can do. |
|---|---|
| object-reader | A user with this role can only read the data from his tenant. And can do a search and list objects. |
| object-creator | A user with this role can create new blobs. And only this. No view or list permissions are granted |
| object-admin | A user with this role can view, create and delete objects. And he can set/modify object properties, like metadata and retention. |
| tenant-admin | A user with this role can manage the tenant properties (at the moment not implemented), do check and restore for the whole storage |
| admin | A user with this role can manage the service itself, as adding/deleting new tenants to the service. With this role only, you can't write, read objects from any tenant. |
Example with full role mapping:
auth:
type: jwt
properties:
validate: true
strict: true
tenantClaim: Tenant
roleClaim: Roles
rolemapping:
object-reader: Reader
object-creator: Writer
object-admin: ObAdmin
tenant-admin: TnAdmin
admin: Admin
using a jwt token for endpoint authorisation with parameterized role validation. you can set the claim key where to find a list of all roles of this user, you can map different roles to the roles in the jwt. In this storage the roles can be admin, writer, reader