Octelium scopes are very similar to OAuth2 scopes. They act as a simple self-imposed authorization mechanism that can be used to further limit the scope of permissions that are already granted by the Cluster via its Policies (read more here). It is extremely important to understand that scopes are not really a zero-trust access control mechanism, as they are enforced by the Users themselves during the authentication process rather than by the Cluster's Policies. That said, they can actually help shrink the attack surface and prevent unauthorized access in case of a Session access token compromise. For example, you might want the octelium client to access only one or a few Services already authorized by the Cluster's Policies for a specific Session.
Scopes are entirely optional. Users are not required to use them and the Cluster administrators must never consider scopes to be an access control mechanism that complements the purpose of Policies.
You can choose to apply one or more scopes. Every scope is simply a string that represents a resource permission. Once your scopes are set for a Session during the authentication process, your Session cannot access anything outside the permissions granted by its scopes even if allowed by the Cluster Policies. There are currently 2 types of scopes:
- Services Service scopes add individual Services or Namespaces of Services.
An individual Service has the scope service:<SERVICE>.<NAMESPACE> or directly service:<SERVICE> if it belongs to the default Namespace.
export OCTELIUM_DOMAIN=example.comoctelium login --scope="service:svc1"
An entire Namespace of Services has the scope service:<NAMESPACE>/*. Here is an example of adding the Namespace ns1:
export OCTELIUM_DOMAIN=example.comoctelium login --scope="service:ns1/*"
- The Cluster APIs You can also restrict access to certain APIs. For example, you might want to only access the Core API:
export OCTELIUM_DOMAIN=example.comoctelium login --scope="api:core"
You can also choose certain methods in a certain API. For example, you might only want to use the CreateUser method in the Core API:
export OCTELIUM_DOMAIN=example.comoctelium login --scope="api:core.MainService/CreateUser"
Finally, you can also have multiple scopes by using the --scope flag multiple times. Here is an example:
export OCTELIUM_DOMAIN=example.comoctelium login --scope="api:core.MainService/ListService" --scope="service:nginx" --scope="production/*"