Octelium scopes are very similar to OAuth2 scopes. They act as a simple self-enforced authorization mechanism that can be used to further limit the scope of permissions that are already granted by the Cluster via its Policies (read more here). It is extremely important to understand that scopes are not really a zero-trust related access control mechanism since they are enforced by the Users themselves during the authentication process rather than by the Cluster's Policies. That said, they can actually help shrink the attack surface and prevent unauthorized access in case of a compromise of Session access tokens. For example, you might want the octelium client to access only one or a few already authorized Services by the Cluster's Policies for a specific Session.

Scopes are totally optional. Users are not required to use them and the Cluster administrators must never consider scopes as an access control mechanism that can complement the purpose of Policies.

You can choose to apply one or more scopes. Every scope is simply a string that represents a resource permission. Once your scopes are set to a Session during the authentication process, your Session cannot access anything outside the permissions granted by its scopes even if allowed by the Cluster Policies. There are currently 2 types of scopes:

1. Services Service scopes add individual Services or entire Namespace of Services.

An individual Service has the scope service:<SERVICE>.<NAMESPACE> or directly service:<SERVICE> if it belongs to the default Namespace.

export OCTELIUM_DOMAIN=example.com
octelium login --scope="service:svc1"

An entire Namespace of Services has the scope service:<NAMESPACE>/*. Here is an example of adding the Namespace ns1:

export OCTELIUM_DOMAIN=example.com
octelium login --scope="service:ns1/*"

2. The Cluster APIs You can also restrict access to certain APIs. For example you might want to only access the Core API:

export OCTELIUM_DOMAIN=example.com
octelium login --scope="api:core"

You can also choose certain methods in a certain API. For example, you might only want to use the CreateUser method in the Core API:

export OCTELIUM_DOMAIN=example.com
octelium login --scope="api:core.MainService/CreateUser"

Finally, you can also have multiple scopes by using the --scope flag multiple times. Here is an example:

export OCTELIUM_DOMAIN=example.com
octelium login --scope="api:core.MainService/ListService" --scope="service:nginx" --scope="production/*"