Add authentication and authorization mechanism

CHANGELOG.md

@@ -35,6 +35,7 @@ NOTE: As semantic versioning states all 0.y.z releases can contain breaking chan
 - [#161](https://github.com/kobsio/kobs/pull/161): Add support for materialized columns, to improve query performance for most frequently queried field.
 - [#162](https://github.com/kobsio/kobs/pull/162): Add support to visualize logs in the ClickHouse plugin.
 - [#170](https://github.com/kobsio/kobs/pull/170): Add Custom Resource Definition for Users.
+- [#171](https://github.com/kobsio/kobs/pull/171): :warning: _Breaking change:_ :warning: Add authentication and authorization mechanism for plugins and resources. These settings are configured via the `--api.auth.<SETTING>` flags. Permissions are always granted on a team level. A users gets all permissions of the team where he is a member of.
 
 ### Fixed
 

deploy/helm/kobs/Chart.yaml

@@ -4,5 +4,5 @@ description: Kubernetes Observability Platform
 type: application
 home: https://kobs.io
 icon: https://kobs.io/assets/images/logo.svg
-version: 0.7.0
+version: 0.7.1
 appVersion: v0.5.0

deploy/helm/kobs/crds/kobs.io_teams.yaml

@@ -147,6 +147,37 @@ spec:
                 type: string
               namespace:
                 type: string
+              permissions:
+                properties:
+                  plugins:
+                    items:
+                      type: string
+                    type: array
+                  resources:
+                    items:
+                      properties:
+                        clusters:
+                          items:
+                            type: string
+                          type: array
+                        namespaces:
+                          items:
+                            type: string
+                          type: array
+                        resources:
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - clusters
+                      - namespaces
+                      - resources
+                      type: object
+                    type: array
+                required:
+                - plugins
+                - resources
+                type: object
             type: object
         type: object
     served: true

deploy/kustomize/crds/kobs.io_teams.yaml

@@ -147,6 +147,37 @@ spec:
                 type: string
               namespace:
                 type: string
+              permissions:
+                properties:
+                  plugins:
+                    items:
+                      type: string
+                    type: array
+                  resources:
+                    items:
+                      properties:
+                        clusters:
+                          items:
+                            type: string
+                          type: array
+                        namespaces:
+                          items:
+                            type: string
+                          type: array
+                        resources:
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - clusters
+                      - namespaces
+                      - resources
+                      type: object
+                    type: array
+                required:
+                - plugins
+                - resources
+                type: object
             type: object
         type: object
     served: true

docs/configuration/getting-started.md

@@ -9,7 +9,10 @@ The following command-line arguments and environment variables are available.
 | Command-line Argument | Environment Variable | Description | Default |
 | --------------------- | -------------------- | ----------- | ------- |
 | `--api.address` | `KOBS_API_ADDRESS` | The address, where the API server is listen on. | `:15220` |
-| `--api.auth-header` | `KOBS_API_AUTH_HEADER` | The header, which contains the details about the authenticated user. More information can be found in the [Authentication](authentication.md) section. | `X-Auth-Request-Email` |
+| `--api.auth.default-team` | `KOBS_API_AUTH_DEFAULT_TEAM` | The name of the team, which should be used for a users permissions when a user hasn't any teams. The team is specified in the following format: `cluster,namespace,name` | |
+| `--api.auth.enabled` | | Enable the authentication and authorization middleware. | `false` |
+| `--api.auth.header` | `KOBS_API_AUTH_HEADER` | The header, which contains the details about the authenticated user. More information can be found in the [Authentication](authentication.md) section. | `X-Auth-Request-Email` |
+| `--api.auth.interval` | `KOBS_API_AUTH_INTERVAL` | The interval to refresh the internal users list and there permissions. | `1h0m0s` |
 | `--app.address` | `KOBS_APP_ADDRESS` | The address, where the Application server is listen on. | `:15219` |
 | `--app.assets` | `KOBS_APP_ASSETS` | The location of the assets directory. | `app/build` |
 | `--clusters.cache-duration.namespaces` | `KOBS_CLUSTERS_CACHE_DURATION_NAMESPACES` | The duration, for how long requests to get the list of namespaces should be cached. | `5m` |

docs/resources/teams.md

@@ -12,17 +12,33 @@ In the following you can found the specification for the Team CRD.
 
 | Field | Type | Description | Required |
 | ----- | ---- | ----------- | -------- |
-| description | string | A description for the team. | Yes |
-| logo | string | The logo for the team. Must be a path to an image file. | Yes |
+| description | string | A description for the team. | No |
+| logo | string | The logo for the team. Must be a path to an image file. | No |
 | links | [[]Link](#link) | A list of links (e.g. a link to the teams Slack channel, Confluence page, etc.) | No |
+| permissions | [Permissions](#permissions) | Permissions for the members of this team, when authentication and authorization is enabled. | No |
 | dashboards | [[]Dashboard](#dashboard) | No |
 
 ### Link
 
 | Field | Type | Description | Required |
 | ----- | ---- | ----------- | -------- |
-| title | string | Title for the link | Yes |
-| link | string | The actuall link | Yes |
+| title | string | Title for the link. | Yes |
+| link | string | The actuall link. | Yes |
+
+### Permissions
+
+| Field | Type | Description | Required |
+| ----- | ---- | ----------- | -------- |
+| plugins | []string | A list of plugins, which can be accessed by the members of the team. The special list entry `*` allows access to all plugins. | Yes |
+| resources | [[]PermissionResources](#permissionresources) | A list of resources, which can be accessed by the members of the team. | Yes |
+
+### PermissionResources
+
+| Field | Type | Description | Required |
+| ----- | ---- | ----------- | -------- |
+| clusters | []string | A list of clusters to allow access to. The special list entry `*` allows access to all clusters. | Yes |
+| namespaces | []string | A list of namespaces to allow access to. The special list entry `*` allows access to all namespaces. | Yes |
+| resources | []string | A list of resources to allow access to. The special list entry `*` allows access to all resources. | Yes |
 
 ### Dashboard
 
@@ -77,3 +93,25 @@ spec:
         namespace: bookinfo
         pod: ".*"
 ```
+
+The following Team CR allows all members of `team-diablo` access to all plugins and resources, when authentication and authorization is enabled.
+
+```yaml
+---
+apiVersion: kobs.io/v1beta1
+kind: Team
+metadata:
+  name: team-diablo
+  namespace: kobs
+spec:
+  permissions:
+    plugins:
+      - "*"
+    resources:
+      - clusters:
+          - "*"
+        namespaces:
+          - "*"
+        resources:
+          - "*"
+```

docs/resources/users.md

@@ -12,7 +12,7 @@ In the following you can found the specification for the User CRD.
 
 | Field | Type | Description | Required |
 | ----- | ---- | ----------- | -------- |
-| id | string | A unique id for the user. The id must be unique across all clusters and namespace. | Yes |
+| id | string | A unique id for the user. The id must be unique across all clusters and namespace. If authentication and authorization is enabled this should be the value passed in the configured user details header (`--api.auth.header`). | Yes |
 | fullName | string | The full name of the user. | Yes |
 | email | string | The email address of the user. | Yes |
 | position | string | The position of the user. | No |

pkg/api/api.go

@@ -92,10 +92,11 @@ func New(loadedClusters *clusters.Clusters, pluginsRouter chi.Router, isDevelopm
 		r.Use(middleware.Recoverer)
 		r.Use(middleware.URLFormat)
 		r.Use(metrics.Metrics)
-		r.Use(auth.Auth)
+		r.Use(auth.Handler(loadedClusters))
 		r.Use(httplog.NewStructuredLogger(log.Logger))
 		r.Use(render.SetContentType(render.ContentTypeJSON))
 
+		r.Get("/user", auth.UserHandler)
 		r.Mount("/clusters", clusters.NewRouter(loadedClusters))
 		r.Mount("/plugins", pluginsRouter)
 	})

pkg/api/apis/team/v1beta1/types.go

@@ -34,6 +34,7 @@ type TeamSpec struct {
 	Description string                `json:"description,omitempty"`
 	Links       []Link                `json:"links,omitempty"`
 	Logo        string                `json:"logo,omitempty"`
+	Permissions Permissions           `json:"permissions,omitempty"`
 	Dashboards  []dashboard.Reference `json:"dashboards,omitempty"`
 }
 
@@ -48,3 +49,14 @@ type Reference struct {
 	Name        string `json:"name"`
 	Description string `json:"description,omitempty"`
 }
+
+type Permissions struct {
+	Plugins   []string               `json:"plugins"`
+	Resources []PermissionsResources `json:"resources"`
+}
+
+type PermissionsResources struct {
+	Clusters   []string `json:"clusters"`
+	Namespaces []string `json:"namespaces"`
+	Resources  []string `json:"resources"`
+}