Allow multiple users and open read-only APIs to non-admins #600
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Remove Unlock call in handleScaleDown that was called before any lock was acquired - Change defer Unlock to immediate Unlock in consolidateRunnerState loop to avoid holding locks until function exit
- Add OIDC configuration to config.go with validation - Add OIDC provider integration with state management and token exchange - Add OIDC login/callback/status API endpoints - Update NewUserParams with IsSSOUser flag for SSO users without passwords - Consolidate CreateOIDCUser into CreateUser with IsSSOUser check - Add OIDC login button to webapp login page - Add OIDC tests and documentation
…endpoints - Remove restriction that prevented creating multiple admin users - Update AdminRequiredMiddleware to only require admin for POST/PUT/DELETE - GET/OPTIONS/HEAD requests now work for all authenticated users
…ers to view resources
This was referenced Feb 9, 2026
Member
|
Hi @benoit-nexthop, Thank you for having a look into enabling multi user support. This seems like a big change, which opens up a lot of API endpoints. While the very long term goal is to make GARM multi user capable, we need to do it in a way that allows true separation between user resources. These changes seem to allow users to be created, but I don't see changes made to the models that enables real multi user support for all resources. Would you mind opening a discussion and detailing what you would like to accomplish, a user story, a use case, etc. Changes of these scale should be discussed first, especially if they involve broad architectural changes to GARM itself. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR enables multi-user support in GARM by allowing multiple admin users and relaxing admin requirements for read-only operations. This is particularly useful when combined with OIDC authentication, allowing SSO users to view resources without requiring admin privileges.
Changes
Allow multiple admin users
Relax admin requirement for read-only endpoints
AdminRequiredMiddlewareto only require admin for POST/PUT/DELETEIsAdminchecks from read-only operations in runner packageAdd user management
/api/v1/usersendpoint to list all usersRationale
Currently GARM only supports a single admin user, which makes it difficult to:
This change maintains security by still requiring admin privileges for any mutating operations.
Testing
Tested with OIDC authentication in staging and production environments.
This PR is part of a stack of changes: