Skip to content

Commit

Permalink
feat: Advanced authorization
Browse files Browse the repository at this point in the history 
Signed-off-by: Anatolii Bazko <[email protected]>
  • Loading branch information
@tolusha
tolusha committed Nov 28, 2023
1 parent 14eed75 commit 66d0d19
Show file tree
Hide file tree
Showing 17 changed files with 388 additions and 46 deletions.
22 changes: 22 additions & 0 deletions api/v2/checluster_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -524,6 +524,28 @@ type Auth struct {
// +optional
// +kubebuilder:default:={configLabels: {app: che, component: che-gateway-config}}
Gateway Gateway `json:"gateway,omitempty"`
// Advance authorization settings. Determines which users and groups are allowed to access Che.
// User is allowed to access Che if he/she is either in the `allowedUsers` or is member of one of group from `allowedGroups`
// and not in neither the `disabledUsers` nor is member of one of group from `disabledGroups`.
// If `allowedUsers` and `allowedGroups` are empty, then all users are allowed to access Che by default.
// if `disabledUsers` and `disabledGroups` are empty, then no users are disallowed to access Che by default.
// +optional
AdvancedAuthorization *AdvancedAuthorization `json:"advancedAuthorization,omitempty"`
}

type AdvancedAuthorization struct {
// List of users allowed to access Che.
// +optional
AllowedUsers []string `json:"allowedUsers,omitempty"`
// List of groups allowed to access Che.
// +optional
AllowedGroups []string `json:"allowedGroups,omitempty"`
// List of users disabled to access Che.
// +optional
DisabledUsers []string `json:"disabledUsers,omitempty"`
// List of groups disabled to access Che.
// +optional
DisabledGroups []string `json:"disabledGroups,omitempty"`
}

// Gateway settings.
Expand Down
40 changes: 40 additions & 0 deletions api/v2/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 8 additions & 2 deletions bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ metadata:
operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
repository: https://github.com/eclipse-che/che-operator
support: Eclipse Foundation
name: eclipse-che.v7.78.0-817.next
name: eclipse-che.v7.78.0-819.next
namespace: placeholder
spec:
apiservicedefinitions: {}
Expand Down Expand Up @@ -527,6 +527,12 @@ spec:
verbs:
- list
- delete
- apiGroups:
- user.openshift.io
resources:
- groups
verbs:
- get
- apiGroups:
- user.openshift.io
resources:
Expand Down Expand Up @@ -1234,7 +1240,7 @@ spec:
minKubeVersion: 1.19.0
provider:
name: Eclipse Foundation
version: 7.78.0-817.next
version: 7.78.0-819.next
webhookdefinitions:
- admissionReviewVersions:
- v1
Expand Down
33 changes: 33 additions & 0 deletions bundle/next/eclipse-che/manifests/org.eclipse.che_checlusters.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7917,6 +7917,39 @@ spec:
component: che-gateway-config
description: Authentication settings.
properties:
advancedAuthorization:
description: Advance authorization settings. Determines
which users and groups are allowed to access Che. User
is allowed to access Che if he/she is either in the `allowedUsers`
or is member of one of group from `allowedGroups` and
not in neither the `disabledUsers` nor is member of one
of group from `disabledGroups`. If `allowedUsers` and
`allowedGroups` are empty, then all users are allowed
to access Che by default. if `disabledUsers` and `disabledGroups`
are empty, then no users are disallowed to access Che
by default.
properties:
allowedGroups:
description: List of groups allowed to access Che.
items:
type: string
type: array
allowedUsers:
description: List of users allowed to access Che.
items:
type: string
type: array
disabledGroups:
description: List of groups disabled to access Che.
items:
type: string
type: array
disabledUsers:
description: List of users disabled to access Che.
items:
type: string
type: array
type: object
gateway:
default:
configLabels:
Expand Down
32 changes: 32 additions & 0 deletions config/crd/bases/org.eclipse.che_checlusters.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7709,6 +7709,38 @@ spec:
component: che-gateway-config
description: Authentication settings.
properties:
advancedAuthorization:
description: Advance authorization settings. Determines which
users and groups are allowed to access Che. User is allowed
to access Che if he/she is either in the `allowedUsers`
or is member of one of group from `allowedGroups` and not
in neither the `disabledUsers` nor is member of one of group
from `disabledGroups`. If `allowedUsers` and `allowedGroups`
are empty, then all users are allowed to access Che by default.
if `disabledUsers` and `disabledGroups` are empty, then
no users are disallowed to access Che by default.
properties:
allowedGroups:
description: List of groups allowed to access Che.
items:
type: string
type: array
allowedUsers:
description: List of users allowed to access Che.
items:
type: string
type: array
disabledGroups:
description: List of groups disabled to access Che.
items:
type: string
type: array
disabledUsers:
description: List of users disabled to access Che.
items:
type: string
type: array
type: object
gateway:
default:
configLabels:
Expand Down
6 changes: 6 additions & 0 deletions config/rbac/cluster_role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,12 @@ rules:
verbs:
- list
- delete
- apiGroups:
- user.openshift.io
resources:
- groups
verbs:
- get
- apiGroups:
- user.openshift.io
resources:
Expand Down
38 changes: 38 additions & 0 deletions deploy/deployment/kubernetes/combined.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7728,6 +7728,38 @@ spec:
component: che-gateway-config
description: Authentication settings.
properties:
advancedAuthorization:
description: Advance authorization settings. Determines which
users and groups are allowed to access Che. User is allowed
to access Che if he/she is either in the `allowedUsers`
or is member of one of group from `allowedGroups` and not
in neither the `disabledUsers` nor is member of one of group
from `disabledGroups`. If `allowedUsers` and `allowedGroups`
are empty, then all users are allowed to access Che by default.
if `disabledUsers` and `disabledGroups` are empty, then
no users are disallowed to access Che by default.
properties:
allowedGroups:
description: List of groups allowed to access Che.
items:
type: string
type: array
allowedUsers:
description: List of users allowed to access Che.
items:
type: string
type: array
disabledGroups:
description: List of groups disabled to access Che.
items:
type: string
type: array
disabledUsers:
description: List of users disabled to access Che.
items:
type: string
type: array
type: object
gateway:
default:
configLabels:
Expand Down Expand Up @@ -8432,6 +8464,12 @@ rules:
verbs:
- list
- delete
- apiGroups:
- user.openshift.io
resources:
- groups
verbs:
- get
- apiGroups:
- user.openshift.io
resources:
Expand Down
6 changes: 6 additions & 0 deletions deploy/deployment/kubernetes/objects/che-operator.ClusterRole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,12 @@ rules:
verbs:
- list
- delete
- apiGroups:
- user.openshift.io
resources:
- groups
verbs:
- get
- apiGroups:
- user.openshift.io
resources:
Expand Down
32 changes: 32 additions & 0 deletions ...y/deployment/kubernetes/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7723,6 +7723,38 @@ spec:
component: che-gateway-config
description: Authentication settings.
properties:
advancedAuthorization:
description: Advance authorization settings. Determines which
users and groups are allowed to access Che. User is allowed
to access Che if he/she is either in the `allowedUsers`
or is member of one of group from `allowedGroups` and not
in neither the `disabledUsers` nor is member of one of group
from `disabledGroups`. If `allowedUsers` and `allowedGroups`
are empty, then all users are allowed to access Che by default.
if `disabledUsers` and `disabledGroups` are empty, then
no users are disallowed to access Che by default.
properties:
allowedGroups:
description: List of groups allowed to access Che.
items:
type: string
type: array
allowedUsers:
description: List of users allowed to access Che.
items:
type: string
type: array
disabledGroups:
description: List of groups disabled to access Che.
items:
type: string
type: array
disabledUsers:
description: List of users disabled to access Che.
items:
type: string
type: array
type: object
gateway:
default:
configLabels:
Expand Down
38 changes: 38 additions & 0 deletions deploy/deployment/openshift/combined.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7728,6 +7728,38 @@ spec:
component: che-gateway-config
description: Authentication settings.
properties:
advancedAuthorization:
description: Advance authorization settings. Determines which
users and groups are allowed to access Che. User is allowed
to access Che if he/she is either in the `allowedUsers`
or is member of one of group from `allowedGroups` and not
in neither the `disabledUsers` nor is member of one of group
from `disabledGroups`. If `allowedUsers` and `allowedGroups`
are empty, then all users are allowed to access Che by default.
if `disabledUsers` and `disabledGroups` are empty, then
no users are disallowed to access Che by default.
properties:
allowedGroups:
description: List of groups allowed to access Che.
items:
type: string
type: array
allowedUsers:
description: List of users allowed to access Che.
items:
type: string
type: array
disabledGroups:
description: List of groups disabled to access Che.
items:
type: string
type: array
disabledUsers:
description: List of users disabled to access Che.
items:
type: string
type: array
type: object
gateway:
default:
configLabels:
Expand Down Expand Up @@ -8432,6 +8464,12 @@ rules:
verbs:
- list
- delete
- apiGroups:
- user.openshift.io
resources:
- groups
verbs:
- get
- apiGroups:
- user.openshift.io
resources:
Expand Down
6 changes: 6 additions & 0 deletions deploy/deployment/openshift/objects/che-operator.ClusterRole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,12 @@ rules:
verbs:
- list
- delete
- apiGroups:
- user.openshift.io
resources:
- groups
verbs:
- get
- apiGroups:
- user.openshift.io
resources:
Expand Down
Loading

0 comments on commit 66d0d19

Please sign in to comment.