-
Notifications
You must be signed in to change notification settings - Fork 1
Authentication
Spinless uses JWT token sent in Bearer header in order to authorize access to api
Example:
curl --request POST \
--url $base_url/helm/deploy \
--header 'authorization: Bearer eyJhbhahahaGciOithatistokenJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlF' \
--header 'content-type: application/json' \
--data '{"one" : "two"}'
Claims in Spinless have two different purposes.
Claims generally have this format:
"read:$api" / "admin:$api"
Usually read claims have no effect on system state (read cluster info, read list of namespaces) From the other side, all API endpoints that impact the state of the system (any resource or the content of the resource - helm charts for instance) - they require "admin" access.
All resources that are being created or modified by spinless, have owner. Owner of resource is represented by notion of "account" in Spinless.
In order to manipulate any resource, the client is usually required to have the special claim:
"account:$account_name"
For example, "account:develop" or "account:staging". Read more about accounts in Resources wiki page
Spinless is using Auth0 for user management. So, tokens are issued by Auth0, and validated with Auth0 endpoint.
curl --request POST \
--url $base_url/token \
--header 'content-type: application/json' \
--data '{
"username": "[email protected]",
"password": "password"
}'
Sample response:
{
"access_token": "jwt_token",
"expires_in": 12345,
"token_type": "Bearer"
}
... somewhere in JWT token ...
"permissions": [
"account:develop",
"account:staging",
"admin:clusters",
"admin:helm",
"read:clusters",
"read:helm"
]