Types
Octelium currently has 2 types of Users:
HUMANUsers which are used by humans.HUMANUsers usually authenticate themselves via the web portal of the Auth Server using identity provider IdentityProviders such as GitHub OAuth2 or any identity provider that supports OpenID Connect or SAML 2.0 (read more about IdentityProviders here).
Here is an example of a HUMAN User:
1kind: User2metadata:3name: alice4spec:5type: HUMAN
WORKLOADwhich are used by non-human entities such as containers, servers, programmable environments, etc.... By default,WORKLOADUsers have 2 options to authenticate themselves to the Cluster:- Authentication token Credentials
- OpenID Connect-based assertion by an external identity provider (reade more here).
Here is an example of a WORKLOAD User:
1kind: User2metadata:3name: k8s-14spec:5type: WORKLOAD
Groups
A User may belong to one or more Groups (read more about Groups here). Here is an example:
1kind: User2metadata:3name: usr-14spec:5type: WORKLOAD6groups: ["group-1", "group-2"]
Authentication
A User can have one or more identities that can be used to authenticate the User by an identity provider IdentityProvider (read more about IdentityProviders here) such as OpenID Connect, SAML 2.0, GitHub OAuth 2 for HUMAN Users as well as OpenID Connect assertions for WORKLOAD Users.
Here is an example of a User that has multiple identities that can be used for authentication:
1kind: User2metadata:3name: usr-14spec:5type: HUMAN6authentication:7identities:8- identityProvider: github9identifier: linus10- identityProvider: okta-oidc1112- identityProvider: saml-idp113
The identityProvider field of the identity is the IdentityProvider name. The identifier is the value that is to be verified against when obtaining the User information from the identity provider during the authentication flow. Such information could be the OIDC identity token in the case of an OpenID Connect IdentityProvider or a SAML assertion in the case of SAML 2.0 IdentityProviders. It's important to note that the identifier's default value depends on the IdentityProvider type:
- For GitHub OAuth2-based IdentityProviders, the identifier is the username (read more here).
- For OpenID Connect IdentityProviders, the identifier by default is the value of the
emailclaim in the identity token (read more here). - For SAML 2.0 IdentityProviders, the identifier by default is the value of the
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressattribute. The Cluster administrators can override the default identifier claim in the case of OIDC or identifier attribute in the case SAML 2.0 (read more here).
As seen above, a User can have one or more explicit identities, each identity has an identifier whose value authenticates the User during the authentication flow of a certain IdentityProvider. However, for HUMAN Users, it's generally more practical to just use the email address as the main identifier against most OpenID Connect and SAML 2.0-based IdentityProviders. Here is an example of setting the email for a HUMAN User:
Note that if Octelium will always attempt to first find an explicit identity to authenticate a User. If it doesn't find a match or if the identities list is empty then it will use the email as the fallback identifier.
In order to prevent Users from abusing this feature to authenticate themselves using an IdentityProvider that requires a less strict authentication (e.g. one IdentityProvider might only require a password while the other requires additional MFA such as WebAuthn or TOTP), the IdentityProvider can explicitly prevent using the User email as an identifier (read more here).
Privileged Users
Octelium intentionally has no notion whatsoever of an "admin" or "superuser" User by default. All access to any Service including to the Cluster API Servers (not that the API Servers are deployed as typical Octelium Services) has to be explicitly allowed by a Policy (read more about access control here). It should be noted that Octelium's API Server itself is exposed to Users as an ordinary gRPC Service.
Session
Users can interact with the Cluster and access its Services as long as their Sessions are valid. You can set a per-User Session duration value, after which the Session is deemed expired and is automatically deleted by the Cluster (namely by Nocturne). This per-User Session options override the Cluster-wide values set in the ClusterConfig (read more here). Here is an example:
1kind: User2metadata:3name: usr-14spec:5type: HUMAN6session:7clientDuration:8days: 19clientlessDuration:10hours: 1011maxPerUser: 10012accessTokenDuration:13hours: 414refreshTokenDuration:15days: 1
Disabling Users
You can disable/deactivate a User and immediately disable the User ability from interacting with the Cluster or accessing its Services. Here is an example:
1kind: User2metadata:3name: usr-14spec:5type: HUMAN6isDisabled: true
To re-activate the User, you simply set the isDisabled field back to false.
Policies
Policies (read more about Policies and access control here) can be created and/or attached to User where they can act as principal-based policies for a specific User. Here is an example:
1kind: User2metadata:3name: john4spec:5type: HUMAN6authorization:7policies: ["policy-1", "policy-2"]8inlinePolicies:9- spec:10rules:11- effect: DENY12condition:13match: 'ctx.service.metadata.namespace == "production"'
Attributes
You can extend a User resource by feeding it additional information including dynamically from external sources (e.g. IAM platforms, SIEM tools, threat intelligence tools, incident alerting and on-call management tools, etc...) via the APIs (read more here). Such additional information can be especially useful for extending access control and making it as fine-grained and dynamic as you wish (read more here). Here is an example:
1kind: User2metadata:3name: john4spec:5type: HUMAN67attrs:8pagerDuty:9onCall: true10azureAD:11isAdmin: true12isFriend: true13age: 2714anotherTool:15key1: val116key2: 10017key3: true18key4:19subKey1: subVal1
The attrs field is also available for Groups, Services and Namespaces.