APPUiO Control API: User

This resource implements the "Personal Settings per User" feature.

Object

CRD based

apiVersion: appuio.io/v1
kind: User
metadata:
  name: kate.demo (1)
spec:
  preferences:
    defaultOrganizationRef: acme-corp
status: (2)
  id: bec0d928-2ae2-4cec-94a0-5f72f12b8b39
  displayName: Kate Demo
  username: kate.demo
  email: kate@demo.com
  defaultOrganizationRef: acme-corp

1	Username in Keycloak
2	Reflects actual configuration from adapter and exposes read-only fields

Access control

As this is a cluster-scoped resource, access control has to be defined in the cluster scope. For each User object, a ClusterRole and ClusterRoleBinding is generated in the background, which grants edit rights to the subject (owner) which relates to the User.

kind: ClusterRole
metadata:
  name: kate.demo-owner
rules:
  - apiGroups: ["appuio.io"]
    resources: ["users"]
    resourceNames: ["kate.demo"]
    verbs: ["get", "update", "patch"] (1)
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kate.demo-owner
subjects:
  - kind: User
    name: appuio#kate.demo (2)
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: kate.demo-owner
  apiGroup: rbac.authorization.k8s.io

1	A user can’t delete themselves in the current iteration of the API.
2	This depends on the API server configuration: `oidc-username-claim=preferred_username` and `oidc-username-prefix=appuio#`

By default, only the subject which is the owner of the User object gets edit rights.