Impersonation for Admin role
yuriy-filatov opened this issue · 2 comments
Hey @ssalinas!
I've got a feature request -- probably this is something you can help me with.
Currently we're using non-auth setup of Singularity cluster in our infrastructure.
Pipeline is as follows:
User is making some commit into GH -> Jenkins is picking up changes+author, building and pushing the deployment into Singularity -> deploy is available in UI. At this point any deploy has appropriate 'Deploy user' as we're pushing it via curl with something like
curl -X POST http://singularity_host:7082/singularity/api/deploys?user=my_nice_username -d '{ "deploy": { "command": "echo $HOSTNAME", "containerInfo": { "type": "MESOS" }, "env": { "DEPLOY_APP": "my_nice_app", "DEPLOY_ENV": "some_env", "DEPLOY_OWNER": "my_nice_username@company.email" }, "executorData": { "user": "meh" }, "executorType": "custom", "id": "some_id", "requestId": "my_nice_app", "resources": { "cpus": "1", "diskMb": "512", "memoryMb": "512", "ports": "0" }, "shell": "true", "user": "meh", "version": "meh" } }' -H "Content-Type: application/json"
In this case 'Deploy user'=my_nice_username (and yeah, we don't have any auth in this example, we're just enforcing proper username in UI for tracing purposes/sanity reasons)
If we will enable auth in Singularity and allow deploys only from Jenkins (or any single robouser with admin access) -- all deploys will get username from base64 hash, ignoring ?user=my_nice_username.
Is it possible to add some sort of Impersonation for Admin role? So Admin will be able to deploy anything (expected) and Singularity won't ignore ?user=my_nice_username?
Hmm, yeah we don't have any sort of concept of 'acting on behalf of a user' in the system. TBH I'm not sure when we'd have a chance to work on a PR for this. PRs are always welcome. Or, as a workaround, there are message fields in each of the request updates and deploy apis. The deploy one isn't exposed in the UI (unless you hit the json button) but that would be a very easy addition to make and still allows some amount of visual/tracing if you were to put the username there
That might do the trick, thank you.
We'll look into this internally.