From 0bc0972b0bd06a1dfc741939898fe8bee4cce4fb Mon Sep 17 00:00:00 2001 From: jkoberg Date: Thu, 1 Jun 2023 13:50:32 +0200 Subject: [PATCH] add admin service account Signed-off-by: jkoberg --- services/settings/README.md | 6 +++++- services/settings/pkg/config/config.go | 2 ++ .../settings/pkg/config/defaults/defaultconfig.go | 5 +++-- services/settings/pkg/store/defaults/defaults.go | 12 ++++++++++++ 4 files changed, 22 insertions(+), 3 deletions(-) diff --git a/services/settings/README.md b/services/settings/README.md index 7a8008c917..256cf4b290 100644 --- a/services/settings/README.md +++ b/services/settings/README.md @@ -8,7 +8,7 @@ The settings service is currently used for managing the: * possible user roles and their respective permissions, * assignment of roles to users. -As an example, user profile settings that can be changed in the Web UI must be persistent. +As an example, user profile settings that can be changed in the Web UI must be persistent. The settings service supports two different backends for persisting the data. The backend can be set via the `SETTINGS_STORE_TYPE` environment variable. Supported values are: @@ -67,3 +67,7 @@ Infinite Scale services can register *settings bundles* with the settings servic ## Settings Usage Services can set or query ocis *setting values* of a user from settings bundles. + +## Service Accounts + +The settings service needs to know the ID's of service accounts but it doesn't need their secrets. Currently only one service account can be configured which has the admin role. This can be set with the `SETTINGS_SERVICE_ACCOUNT_ID_ADMIN` envvar, but it will also pick up the global `OCIS_SERVICE_ACCOUNT_ID` envvar. Also see the 'auth-service' service description for additional details. diff --git a/services/settings/pkg/config/config.go b/services/settings/pkg/config/config.go index e606b18656..2ca13dff15 100644 --- a/services/settings/pkg/config/config.go +++ b/services/settings/pkg/config/config.go @@ -37,6 +37,8 @@ type Config struct { SetupDefaultAssignments bool `yaml:"set_default_assignments" env:"SETTINGS_SETUP_DEFAULT_ASSIGNMENTS;IDM_CREATE_DEMO_USERS" desc:"The default role assignments the demo users should be setup."` + ServiceAccountIDAdmin string `yaml:"service_account_id_admin" env:"OCIS_SERVICE_ACCOUNT_ID;SETTINGS_SERVICE_ACCOUNT_ID_ADMIN" desc:"The ID of the service account having the admin role. See the 'auth-service' service description for more details."` + Context context.Context `yaml:"-"` } diff --git a/services/settings/pkg/config/defaults/defaultconfig.go b/services/settings/pkg/config/defaults/defaultconfig.go index 64866ae3f8..8bd1126fe8 100644 --- a/services/settings/pkg/config/defaults/defaultconfig.go +++ b/services/settings/pkg/config/defaults/defaultconfig.go @@ -64,8 +64,9 @@ func DefaultConfig() *config.Config { TTL: time.Minute * 10, }, }, - BundlesPath: "", - Bundles: nil, + BundlesPath: "", + Bundles: nil, + ServiceAccountIDAdmin: "service-user-id", } } diff --git a/services/settings/pkg/store/defaults/defaults.go b/services/settings/pkg/store/defaults/defaults.go index f3de773942..96ca44acfd 100644 --- a/services/settings/pkg/store/defaults/defaults.go +++ b/services/settings/pkg/store/defaults/defaults.go @@ -822,6 +822,11 @@ func DefaultRoleAssignments(cfg *config.Config) []*settingsmsg.UserRoleAssignmen AccountUuid: "534bb038-6f9d-4093-946f-133be61fa4e7", RoleId: BundleUUIDRoleSpaceAdmin, }, + { + // service user + AccountUuid: "service-user-id", + RoleId: BundleUUIDRoleAdmin, + }, } } @@ -833,5 +838,12 @@ func DefaultRoleAssignments(cfg *config.Config) []*settingsmsg.UserRoleAssignmen }) } + if cfg.ServiceAccountIDAdmin != "" { + assignments = append(assignments, &settingsmsg.UserRoleAssignment{ + AccountUuid: cfg.ServiceAccountIDAdmin, + RoleId: BundleUUIDRoleAdmin, + }) + } + return assignments }