Skip to main content
Version: 1.1.0

Authorization

Since version 0.8.0 Epinio is shipped with an authorization layer recognizing two basic roles: admin and user. A user with the admin role will have access to every resource, while a standard user will have access only to the resources created on its namespaces. When a user creates a namespace, it will have automatically permission for it.

By default, after the installation two users are available: admin and epinio, both with the password password. The operator can control the creation of those users through the api.users key in values.yaml. In a production setup, the default api.users value needs to be overridden.

Switch user

To switch users you need to set the user and pass keys of the Epinio settings file, located at ~/.config/epinio/settings.yaml. The password has to be base64 encoded. Below, cGFzc3dvcmQ= is the base64 encoded version of password.

You can also login again with the epinio login [URL] command.

api: https://epinio.mydomain.com
appchart: ""
certs: |
-----BEGIN CERTIFICATE-----
MIICUTCCAfigAwIBAgIQXJq3y/ouo90Db7BWy34gbDAKBggqhkjOPQQDAjAUMRIw
****************************************************************
****************************************************************
****************************************************************
qCPZOyTsHKnjmj7zxg57+Kq2KLFT
-----END CERTIFICATE-----
colors: true
namespace: workspace
pass: cGFzc3dvcmQ=
user: epinio
wss: wss://epinio.mydomain.com

List the Epinio users

An Epinio user is a BasicAuth Kubernetes Secret, with two reserved labels:

  • epinio.io/api-user-credentials
  • epinio.io/role used to get the assigned role
apiVersion: v1
kind: Secret
type: BasicAuth
metadata:
labels:
epinio.io/api-user-credentials: "true"
epinio.io/role: "admin"
name: my-epinio-user
namespace: epinio
stringData:
username: myuser
# password is hashed with the Bcrypt algorithm
password: "$2a$10$6bCi5NMstMK781In7JGiL.B44pgoplUb330FQvm6mVXMppbXBPiXS" # value is 'password'

To list the available users you can get the secrets from your cluster with kubectl, filtering them with the proper labels:

# list all the users
kubectl get secrets -n epinio -l 'epinio.io/api-user-credentials'
NAME TYPE DATA AGE
default-epinio-user BasicAuth 3 5m10s
admin-epinio-user BasicAuth 2 5m10s
# list all the admins
kubectl get secrets -n epinio -l 'epinio.io/api-user-credentials,epinio.io/role=admin'
NAME TYPE DATA AGE
admin-epinio-user BasicAuth 2 5m24s

Add a new user

Since a user is simply a Kubernetes Secret you can create a new user with a kubectl apply:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
type: BasicAuth
metadata:
labels:
epinio.io/api-user-credentials: "true"
epinio.io/role: "user"
name: my-epinio-user
namespace: epinio
stringData:
username: myuser
password: "$2a$10$6bCi5NMstMK781In7JGiL.B44pgoplUb330FQvm6mVXMppbXBPiXS"
EOF

Assign namespaces

The authorized user's namespaces are an additional namespaces field in the Secret data, separated by a newline \n.
To modify them edit just that field:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
type: BasicAuth
metadata:
labels:
epinio.io/api-user-credentials: "true"
epinio.io/role: "user"
name: my-epinio-user
namespace: epinio
stringData:
username: myuser
password: "$2a$10$6bCi5NMstMK781In7JGiL.B44pgoplUb330FQvm6mVXMppbXBPiXS"
namespaces: |
workspace
workspace2
EOF