We can support basic authentication with minimal permission-based rule enforcement that can be read from a file in the Optimus server. The file could be stored locally, stored in a k8s config map, GCS, etc for the server to fetch.
[
{
"username": "foo",
"password": "bar",
"perms": ["*"]
},
{
"username": "optimus",
"password": "$2a$10$fKRHxrEuyDTP6tXIiDycr.nyC8Q7UMIfc31YMyXHDLgRDyhLK3VFS",
"perms": ["deploy:t-data", "deploy:g-data"]
},
{
"username": "prime",
"password": "pass",
"perms": ["deploy:*", "register:project", "register:secret"]
}
]
Passwords can be cleartext or bcrypt encrypted hashes. Each permission is mapped as action:entity
and *
is used as a wildcard for all. To avoid authentication with internal clients(airflow docker images), we can break the optimus API into two parts, public and internal both exposed to different ports, and only public will be served to external users.