Skip to content

Latest commit

 

History

History
64 lines (36 loc) · 3.28 KB

jwt-claims.md

File metadata and controls

64 lines (36 loc) · 3.28 KB
Raw

JWT Claims used in the fleet-manager

Below is the list of jwt claims used in the fleet-manager

Default

  • email - email address of the entity for which a token was issued

  • exp - expiry timestamp of token (for ocm short living tokens it is 15 minutes counted from the time of issuing of the token (iat))

  • first_name - first name of the entity for which the token was issued

  • iat - timestamp of issuing of the token

  • iss - issuer of the token (e.g. https://sso.redhat.com/auth/realms/redhat-external)

  • last_name - last name of the entity for which the token was issued

  • preferred_username - preferred username of the entity for which the token was issued. Available in decoded ocm short living token

  • typ - type of token, e.g. Bearer

  • realm_access

    • roles - list of realm access roles of an entity for which the token was issued (there might be different types of roles, e.g. ocm specific or elevated admin permissions), e.g.
      • offline_access - specifies whether offline access to ocm
      • admin:org:all - admin permissions within the ocm organisation

Dinosaur admin endpoint roles

  • realm_access
    • roles
      • fleet-manager-admin-read - has permissions to list all dinosaur clusters across all ocm organisations
      • fleet-manager-admin-write -has permissions to list and update all dinosaur clusters across all ocm organisations
      • fleet-manager-admin-full -has permissions to list, update and delete all dinosaur clusters across all ocm organisations

SSO

  • account_id - account id of the entity for which a token was issued. Assigned to dinosaur clusters (only displayed by presenter, when invoking private admin endpoint)

  • is_org_admin - if set to true, user with this claim in their token has elevated privileges, compared to users with this claim set to false, e.g. they can update and delete dinosaurs not owned by them within the same organisation (having the same org_id value)

  • org_id - organisation ID of the entity for which a token was issued. When dinosaur cluster is created, organisation_id field is populated with org_id from the short living ocm token. Dinosaur requests are filtered by organisation id (when org_id is present in the jwt claim). If a user is an organisation admin (is_org_admin: true) - dinosaur clusters within the same organisation can be deleted or updated by this user even if they are not an owner of these dinosaur clusters

SSO

NOTE this section contains references to Red Hat internal components

Token generated by srvc-acct see example:

  • rh-org-id - Red Hat organisation id for given service account

  • rh-user-id - user id in service account.

  • username - username of the entity for which the token was issued. Obtained from the short living ocm token used in the http request. Dinosaur request owner value is assigned from the username value.

Token generated by fleetshard-operator service account (https://gitlab.cee.redhat.com/mk-ci-cd/sso-configuration-files/-/blob/master/docs/service-accounts/fleetshard-agent.md)

claim:

  • fleetshard-operator-cluster-id - used by authenticated context to call dataplane endpoints

Role:

  • fleetshard_operator