Skip to main content
Version: 0.8.0

Authorization

Since version 0.8.0 Epinio is shipped with an authorization layer recognizing two basic roles: admin and user. A user with the admin role will have access to every resource, while a standard user will have access only to the resources created on its namespaces. When a user creates a namespace, it will have automatically permission for it.

After the installation two users are available: admin and epinio, both with the password password.

Switch user​

To switch users you need to set the user and pass keys of the Epinio settings file, located at ~/.config/epinio/settings.yaml

api: https://epinio.mydomain.com
appchart: ""
certs: |
  -----BEGIN CERTIFICATE-----
  MIICUTCCAfigAwIBAgIQXJq3y/ouo90Db7BWy34gbDAKBggqhkjOPQQDAjAUMRIw
  ****************************************************************
  ****************************************************************
  ****************************************************************
  qCPZOyTsHKnjmj7zxg57+Kq2KLFT
  -----END CERTIFICATE-----
colors: true
namespace: workspace
pass: password
user: epinio
wss: wss://epinio.mydomain.com

List the Epinio users​

An Epinio user is a BasicAuth Kubernetes Secret, with two reserved labels:

  • epinio.suse.org/api-user-credentials
  • epinio.suse.org/role used to get the assigned role
apiVersion: v1
kind: Secret
type: BasicAuth
metadata:
  labels:
    epinio.suse.org/api-user-credentials: "true"
    epinio.suse.org/role: "admin"
  name: my-epinio-user
  namespace: epinio
stringData:
  username: myuser
  password: mypassword

To list the available users you can get the secrets from your cluster with kubectl, filtering them with the proper labels:

# list all the users
kubectl get secrets -n epinio -l 'epinio.suse.org/api-user-credentials'
NAME                  TYPE        DATA   AGE
default-epinio-user   BasicAuth   3      5m10s
admin-epinio-user     BasicAuth   2      5m10s
# list all the admins
kubectl get secrets -n epinio -l 'epinio.suse.org/api-user-credentials,epinio.suse.org/role=admin'
NAME                TYPE        DATA   AGE
admin-epinio-user   BasicAuth   2      5m24s

Add a new user​

Since a user is simply a Kubernetes Secret you can create a new user with a kubectl apply:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
type: BasicAuth
metadata:
  labels:
    epinio.suse.org/api-user-credentials: "true"
    epinio.suse.org/role: "user"
  name: my-epinio-user
  namespace: epinio
stringData:
  username: myuser
  password: mypassword
EOF

Assign namespaces​

The authorized user's namespaces are an additional namespaces field in the Secret data, separated by a newline \n.
To modify them edit just that field:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
type: BasicAuth
metadata:
  labels:
    epinio.suse.org/api-user-credentials: "true"
    epinio.suse.org/role: "user"
  name: my-epinio-user
  namespace: epinio
stringData:
  username: myuser
  password: mypassword
  namespaces: |
    workspace
    workspace2
EOF