Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sync Cryptomator Hub CLI client user to Hub #239

Merged
merged 4 commits into from
Nov 9, 2023

Conversation

SailReal
Copy link
Member

@SailReal SailReal commented Nov 8, 2023

For Cryptomator Hub CLI to work, we need to have the user account of the client available in Hub.

If the Cryptomator Hub CLI is used, you need to

  1. create a client with client id cryptomatorhub-cli and set Service accounts roles
  2. add the view-clients role to the syncer realm role

@SailReal SailReal added this to the 1.3.0 milestone Nov 8, 2023
Copy link
Member

@overheadhunter overheadhunter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works as intended, but shouldn't we also create this client via the dev realm json?

Maybe we can even set a fixed uuid for the service account user for easier testing.

@overheadhunter
Copy link
Member

Sollten dann den realm-json-Generator auch aktualisieren (würde auch in älteren Hub-Versionen nicht stören)

@SailReal
Copy link
Member Author

SailReal commented Nov 9, 2023

but shouldn't we also create this client via the dev realm json?

Totally agree, but should we also set a fixed secret in the dev realm so that we can reuse our CLI calls and not have to look up the secret like with the admin password? Something like "secret": "top-secret"

Sollten dann den realm-json-Generator auch aktualisieren (würde auch in älteren Hub-Versionen nicht stören)

But IMO the default shouldn't be touched because I assume 99.9% won't use the CLI tool and for the others we could introduce a checkbox that if checked will add those changes to the realm-json.

@SailReal SailReal merged commit d35611b into develop Nov 9, 2023
5 checks passed
@SailReal SailReal deleted the feature/sync-hub-cli-client-user branch November 9, 2023 11:25
@overheadhunter
Copy link
Member

but shouldn't we also create this client via the dev realm json?

Totally agree, but should we also set a fixed secret in the dev realm so that we can reuse our CLI calls and not have to look up the secret like with the admin password? Something like "secret": "top-secret"

Agree

Sollten dann den realm-json-Generator auch aktualisieren (würde auch in älteren Hub-Versionen nicht stören)

But IMO the default shouldn't be touched because I assume 99.9% won't use the CLI tool and for the others we could introduce a checkbox that if checked will add those changes to the realm-json.

Disagree 😉

Without a fixed secret of course, then the client is there if needed but wont hurt. Maybe it can be added and be disabled?

@SailReal
Copy link
Member Author

SailReal commented Nov 9, 2023

Sollten dann den realm-json-Generator auch aktualisieren (würde auch in älteren Hub-Versionen nicht stören)

But IMO the default shouldn't be touched because I assume 99.9% won't use the CLI tool and for the others we could introduce a checkbox that if checked will add those changes to the realm-json.

Disagree 😉

Without a fixed secret of course, then the client is there if needed but wont hurt. Maybe it can be added and be disabled?

A deactivated client would not do any harm, that is correct, but in order for the syncer to have access to the clients, its permissions must be extended (view-clients) and I would want to avoid that. If we do not set the permission, support gets too much complicated IMO, you then have the following states:

  1. Old instances where client is not set and syncer has no view-clients permission
  2. New instances that have disabled client with or without view-clients permission
  3. New instances that have enabled client with view-clients permission
  4. New instances that have enabled client without view-clients permission

I'll test this, but it would be cool to offer a partial realm import where the client is created and the syncer gets more permissions if a user wants to use Cryptomator Hub CLI. Existing clients could then use this as well. See if it works.

@overheadhunter
Copy link
Member

Ok let's leave it as is, adding the client manually if needed (maybe add an article to the docs).

Nevertheless I guess we should eventually replace the syncer user with a system client, which has further permissions, allowing stuff like managing certain Keycloak entities directly via Hub's UI.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants