Skip to main content
Version: 1.10.0

Authorization

Since version 0.8.0 Epinio is shipped with an authorization layer recognizing two basic roles: admin and user. A user with the admin role will have access to every resource, while a standard user will have access only to the resources created on its namespaces. When a user creates a namespace, it will have automatically permission for it.

By default, after the installation two users are available: admin and epinio, both with the password password. The operator can control the creation of those users through the api.users key in values.yaml. In a production setup, the default api.users value needs to be overridden.

Switch user​

To switch users you need to set the user and pass keys of the Epinio settings file, located at ~/.config/epinio/settings.yaml. The password has to be base64 encoded. Below, cGFzc3dvcmQ= is the base64 encoded version of password.

You can also login again with the epinio login [URL] command.

api: https://epinio.mydomain.com
appchart: ""
certs: |
-----BEGIN CERTIFICATE-----
MIICUTCCAfigAwIBAgIQXJq3y/ouo90Db7BWy34gbDAKBggqhkjOPQQDAjAUMRIw
****************************************************************
****************************************************************
****************************************************************
qCPZOyTsHKnjmj7zxg57+Kq2KLFT
-----END CERTIFICATE-----
colors: true
namespace: workspace
pass: cGFzc3dvcmQ=
user: epinio
wss: wss://epinio.mydomain.com

List the Epinio users​

An Epinio user is a BasicAuth Kubernetes Secret, with two reserved labels:

  • epinio.io/api-user-credentials
  • epinio.io/role used to get the assigned role
apiVersion: v1
kind: Secret
type: BasicAuth
metadata:
labels:
epinio.io/api-user-credentials: "true"
epinio.io/role: "admin"
name: my-epinio-user
namespace: epinio
stringData:
username: myuser
# password is hashed with the Bcrypt algorithm
password: "$2a$10$6bCi5NMstMK781In7JGiL.B44pgoplUb330FQvm6mVXMppbXBPiXS" # value is 'password'

To list the available users you can get the secrets from your cluster with kubectl, filtering them with the proper labels:

# list all the users
kubectl get secrets -n epinio -l 'epinio.io/api-user-credentials'
NAME TYPE DATA AGE
default-epinio-user BasicAuth 3 5m10s
admin-epinio-user BasicAuth 2 5m10s
# list all the admins
kubectl get secrets -n epinio -l 'epinio.io/api-user-credentials,epinio.io/role=admin'
NAME TYPE DATA AGE
admin-epinio-user BasicAuth 2 5m24s

Add a new user​

Since a user is simply a Kubernetes Secret you can create a new user with a kubectl apply:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
type: BasicAuth
metadata:
labels:
epinio.io/api-user-credentials: "true"
epinio.io/role: "user"
name: my-epinio-user
namespace: epinio
stringData:
username: myuser
password: "\$2a\$10\$6bCi5NMstMK781In7JGiL.B44pgoplUb330FQvm6mVXMppbXBPiXS"
EOF

Assign namespaces​

The authorized user's namespaces are an additional namespaces field in the Secret data, separated by a newline \n.
To modify them edit just that field:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
type: BasicAuth
metadata:
labels:
epinio.io/api-user-credentials: "true"
epinio.io/role: "user"
name: my-epinio-user
namespace: epinio
stringData:
username: myuser
password: "\$2a\$10\$6bCi5NMstMK781In7JGiL.B44pgoplUb330FQvm6mVXMppbXBPiXS"
namespaces: |
workspace
workspace2
EOF